[ietf-dkim] Re: MASS/DKIM interim minutes posted

[Douglas Otis]

On Sep 12, 2005, at 11:58 AM, Hallam-Baker, Phillip wrote:

> Replay is an issue in the application of DKIM to real world problems.


This problem can impact virtually any domain signing messages.  It  
will be a greater problem for providers that offer free mailboxes, as  
well as access providers that also offer outbound email services,  
largely due to the prevalence of compromised systems and networks.   
This could also be a problem for those that send bulk emails, when  
someone wishes to damage their reputation.  These groups perhaps  
represent the majority of the email being exchanged.


> Clearly there must be an answer to the replay issue, but it does not
> follow that this must be developed in MASS.


I have attempted to clarify how DKIM can be structured to handle this  
problem with a minimal overhead, even without the use of HELO  
verification.  HELO verification would be instrumental for defending  
resources.


> The replay issue only really affects Web Mail hosts, there may be
> something of an effect for some ISPs but I doubt it. In either case
> controls to prevent bulk enrollment are likely to provide a sufficient
> first line of defense.


Once a signature becomes a basis for accepting email, then rate- 
limiting techniques do not offer any protection.  A miscreant only  
needs to send themselves the initial messages, where these can be  
"replayed" from other sources in any amount.  Without a means to  
prevent this scenario, the domain signature will offer significantly  
less value as a basis for message acceptance.

-Doug