On Aug 5, 2005, at 9:11 PM, John Levine wrote:
It almost seems that replay can be detected just by monitoring the
number of queries against a user key.
Only if you know in advance how many times a message will legitimately
be delivered
Or if you see that a particular user key is being queries a million
times while most user keys are only queried hundreds of times in a
certain time period, that might be a clue that something is up.
and can see through the recipients' DNS caches to know
how many times a key was fetched, neither of which seems very likely.
That all depends on how far and wide the replay is being used. But
this is why I also added "This would be especially true if the other
key retrieval methods are used for user keying."
Before we can describe a replay defense, the people who are concerned
about replay need to define what replay means, i.e., what's the
technical difference between a replay and a valid delivery. The
definition can't require knowledge of people's mental states.
You don't like the description of replay attacks in Section 9.5 of
DKIM-base?
-andy