On Mon, 2004-11-01 at 16:43 -0800, Jim Fenton wrote:
At 04:20 AM 11/1/2004 +0000, John Levine wrote:
The third category [Freeware like Mailman, Sympa, and Majordomo] is
most difficult. People tend to install the freeware packages and
forget about them, so it'll be a challenge to get them to upgrade,
unless they're behind a mailsig-aware MTA that handles the signatures
automagically.
I'm a little worried about the mailing lists that are behind a
mailsig-aware MTA, actually.
What should mailing lists do about messages they sent which arrived
without a signature? I can think of 3 options:
1. Block them
2. Accept them and send them to the list without a signature from the
list
3. Accept them and sign for the list
I don't expect option 1 will be practical anytime soon.
2 seems promising; it seems only appropriate to sign if the input was
signed.
3 sounds like a recipe to dilute the value of the list's signature,
and seems like a good way to get messages signed by the list for use
in a subsequent replay attack. Of course, this would be more
reasonable for closed lists.
A mailing list behind a mailsig-aware MTA will tend to behave per
option 3 by default.
I don't see any value in a Sender: address which signs its mail
_sometimes_ but not always. Either the list doesn't bother with mailsig
at all, and the final recipient will accept the mail when it arrives
purely by virtue of the fact that it wasn't accepting mail from that
Sender: address to be signed anyway, or the list (or its MTA) _does_
play the game and signs all its outgoing mail.
If I'm a spammer and I can get this mailing list to decide that my mail
isn't actually spam and hence forward it to all the subscribers.... why
precisely would I be so excited about the fact I can use it for a replay
attack? :)
--
dwmw2