9.5 Replay Attacks
In this attack, a user sends a message to be distributed to a
mailing list, which results in the message being signed by the
originating MTA. The mailing list resends the message, including the
original signature, to a large number of recipients, possibly by
sending the message to many intermediate exploders that act as MTAs.
The messages, not having been modified by the mailing list, have valid
signatures.
If I may reply to myself here, I know of a variety of ways to detect
multiple message deliveries. We've been doing that for years with
DCC. What I don't see is the difference between the multiple
deliveries that are due to "replay" and the ones that are just normal
mail deliveries. That's why I'm still waiting for a useful definition
of "replay", better than "multiple deliveries that we don't like."
DCC users are all familiar with this problem, since it means that we
have to manually whitelist all of the mailing lists we subscribe to to
keep them from being caught by DCC. Having lived with it for a couple
of years, I strongly think that it's not something that we should try
to mix into a signature authentication scheme. If it's important for
DKIM, why wasn't it equally important for S/MIME and PGP?
R's,
John