Sam Hartman wrote:
I do note that you're actually somewhat vulnerable to this replay even
with signed bodies. I go get a free email account from an email
provider with a reasonably good reputation. I send email containing
the spam body I want to some recipient I control that will look good
in to: headers. Now that I've got this signature, I can replay the
message at any envelope recipient I want.
We note that attack in section 9.1.4 of the IIM specification. There
are a few ideas there for mitigating this attack, but I'm not sure any
of them are very acceptable.
This puts the free email provider in the position of needing to revoke
the key I'm using, but they cannot do that until the other mail signed
with that key has had a chance to flow through the system.
This isn't hard with per-user keying; if a particular user misbehaves
(or has an account compromised) it's probably OK to de-authorize any
mail in transit. With a domain-level key, what you would like to do is
to revoke that particular user's authorization from the key. This could
be done in principle if the query to the originating domain contains
both the individual user address and key ID, but may severely constrain
the amount of caching of keys or key authorizations that can be used.
-Jim