[ietf-dkim] New DKIM threat analysis draft
John Levine
johnl at iecc.com
Thu Oct 6 06:55:51 PDT 2005
>I have only one real reservation. In section 6.3, discussing the message
>replay attack, ...
esp. in 2nd paragraph... It is presented as if DKIM
>cannot be applied against replay since replay is indistinguishable from
>acceptable acts e.g. forwarding. This is not necessarily true. A
>legitimate application of DKIM may require senders to indicate specific
>recipient; this would allow replay prevention, of course in the price of
>requiring additional support to deal with legitimate forwarding. I'm not
>suggesting DKIM should be modified to support that, indeed this is not
>required at DKIM level at all, but I think the text now seems to exclude
>this usage, and this should be fixed imho.
DKIM doesn't do path authentication by design. It's not a bug.
It would be fine to mention that, but it would be a grave mistake to
jump into the forwarding swamp from which no path authentication
scheme has ever emerged.
R's,
John
More information about the ietf-dkim
mailing list