IETF Logo Mail Archive

Re: [dmarc-ietf] third party authorization, not, was non-mailing list

Jim Fenton <fenton@bluepopcorn.net> Wed, 26 August 2020 21:00 UTC

Return-Path: <fenton@bluepopcorn.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D4A03A0138 for <dmarc@ietfa.amsl.com>; Wed, 26 Aug 2020 14:00:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.046
X-Spam-Level:
X-Spam-Status: No, score=-3.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.948, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lYWDWzPK68xm for <dmarc@ietfa.amsl.com>; Wed, 26 Aug 2020 14:00:37 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F9C53A0121 for <dmarc@ietf.org>; Wed, 26 Aug 2020 14:00:37 -0700 (PDT)
Received: from steel.bluepopcorn.net ([IPv6:2601:647:4400:1261:8943:d470:4d35:1cd2]) (authenticated bits=0) by v2.bluepopcorn.net (8.15.2/8.15.2/Debian-14~deb10u1) with ESMTPSA id 07QL0Xeb015176 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Wed, 26 Aug 2020 14:00:35 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1598475635; bh=a6i96l/dYlY+yYk+GrI9NPzD8MK2ZkYd5OZLSgB99Fs=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=IK0EjHxCr4kalc6s0XQOi9MFe6CeMQgsjdq1vYSawYrWzTK1ixsRaaRvDgrMuRZDy iN/ulAio5MAHUWJypUKKwAe8sPkiy1Fol+XYExBIfUwx/dbTpxFckbPyNa/i4HF1Wo YlwQcmUZcNDyVUKxgdw2J6TYBZze5N4ZCkuTKPgU=
To: Dotzero <dotzero@gmail.com>, Doug Foster <fosterd=40bayviewphysicians.com@dmarc.ietf.org>
Cc: IETF DMARC WG <dmarc@ietf.org>
References: <20200824172403.A927C1F14BF5@ary.qy> <5fe7d5c2-7330-c9fb-2856-e7dfc2175c82@tana.it> <CAJ4XoYc1vutV61E-66DHWcdOxHmCUWiC0HC0AmiRYUcMxLgcCQ@mail.gmail.com> <1fe7a47f-4ebc-7621-2c1-e4803473e8d7@taugh.com> <CAJ4XoYf3_y4tb5JYm5fGndqxKN+070LvZ6i5kjHKqH0NnbHnhg@mail.gmail.com> <001801d67bce$bdf97510$39ec5f30$@bayviewphysicians.com> <CAJ4XoYdR-kHARvkYjbbyqoEnx8YV5RP4x1z40M3-z9ap1ypcRg@mail.gmail.com>
From: Jim Fenton <fenton@bluepopcorn.net>
Autocrypt: addr=fenton@bluepopcorn.net; prefer-encrypt=mutual; keydata= mQINBFJNz0MBEADME6UoNSsTvSDJOdzL4yWfH4HTTOOZZPUcM/at38j4joeBb2PdatlwCBtk 9ZjupxFK+Qh5NZC19Oa6CHo0vlqw7V1hx1MUhmSPbzKRcNFhJu0KcQdniI8qmsqoG50IELXN BPI5OEZ3chYHpoXXi2+VCkjXJyeoqRNwNdv6QPGg6O1FMbB+AcIZj3x5U18LnJnXv1i+1vBq CxbMP43VmryPf8BLufcEciXpMEHydHbrEBZb/r7SBkUhdQXjxRNcWOLeYvOVUOOrr1c+jvqm DEbTWUJVRnUro/WpZQBffFnymR0jjkdAa8eOVl/nF2oMLbaBsOMvxCRSSEcGhuqwbEappNVT 1nuBTbkJT/GGcXxc+lEx9uNj86oYC4384VZJMTd1BRI4qPXImNZCIdmpKegK743B6xxN6Qh1 Tg167pn9429JENQE/AFIVX5B/gpsg7Aq+3rmz9H6GbfovPvFV3TBTgsHCHAMC8XU+S4fhcqN PN0lbUeyb7g6wxaE+dYqC7TExx7G3prw4v66y0qS7ow/Cfw8XXOEkaFQ4XwP7nvfILT+9CcU yS8I40vlDFU9Wnt56CbGz0ZVQgHnwyPXL+S9kCcIwRLFx1M79s6T6qwX1TXadfpbi1uIw7XG TiPDT8Pk6i2y22oSSROyYD4D+wOhVkkvO0S8iZ3+LhAYUx86nwARAQABtCNKaW0gRmVudG9u IDxmZW50b25AYmx1ZXBvcGNvcm4ubmV0PokCVQQTAQgAPwIbAwYLCQgHAwIGFQgCCQoLBBYC AwECHgECF4AWIQS1nUkJe2fEXbvBaacbJaiwFdCfvgUCXxoIpQUJEI6gYAAKCRAbJaiwFdCf voc0EACDpkdX086xmst9QgccOX2qKPnzbaAa0/NpFtJN860Us5gbv8gf+9Wfkz0UVqmExp3a 7CMzJnH5CLNb4jOXMMMoFCzJ8UioTGL4jwN23wXHdhOEycnKMl2i2bN13DwEWdrqVHzF2ds8 did+0Ep1deFCGAEXTS5QMc2LyPynMGScHcLTZJ6IIBK9sQqGn9IPR4UjiZOV4382RG86jxam G8EhKTahaJF+srqXsmKdfg1xGDUr0aFfPZQcdpE/cBePMqe4+H6py4eEobcuVD61RL8KTj3D F78TkoR7+RJcPvTGEA3I5kNPLQrqtSFhds327Mr6MzDkC4gg5nIhvWb/j2zn4tfckBY+e9vS nq6Hfo0NYbqWYaHSdvA0bF7D9CPJ4sXco7MCx1/nLYYLNHpxnSMAFPZmI3lMQBGcR89c/sBm K7BA4aotgbxfm/fZNngZB0xFolkXyPIBfR9rzgIY2llSdd+KlN5tjZnQ7QkShWp0iG2YI6nC Zr7HaObdp+aRB5UmkD5GOdPMcv7s5esouysTKu2R2nzPQG0atMiSRtS6QEDmp372TG7L2w4V HVLx5wlrWpoTiKAMwg7VtFjD7Xbyho6NgRrrmhiW7KnIQxYrb6evg4v316E+H0w0ogU/fDMF x3ZnZDC6npTuPT4GojlxIANBQmSKHYX66HD291b7WrkCDQRSTc9DARAAwZaXYs3OzGlpqvSH 3HR9GjSzIeP0EmsBCjpfIdZbQBwQ3ZREiMGInNxV+xkdjLDg0ctrWzUCUe3plWe5NJkpjqm+ KMc7GKhyeWJ5MZRtVrh0VpFTqi8UwYPWumAYqE1y/U1me/zHpfG9EDwdSYqMkPF76Fy5W+vh ZP2ILKaY8qWSLyH8TPl5mFGBypfT8Q6UuzlRs2aTbsTtBX/qwH7gztMRJSjQtYo20AqCgBBH IA/0xV5qDH7CVYyKyPQ4tJLQ8/xyTysUS5fewrj8lZo/G9SaNtC3CEvrJYwyA0nvYB6+hJPM qMP/tyRXM/9XY3qO4Vxuc+m5fYbTZa5GYAZNNuB5dvqI1U0sFTWBEbpAeabqCQ40ZnFSj+t1 tBuwfj4ey/oJ78WRyg5+VTvPKRRubOmZcnzj5yfTS3VGxAZb4Nsj1S2f3KLP0Z+Cv4dt893I 2JWTChw7jA1omF0QTQaBq140n084PFndBHudrZ3cz+APC89iie2HQ4jGQldXZXnGySHnHlA+ WUyZ9wgOplW9F4Q/Lps1bnuh5VttPVpNfjX8hiV48al+b+ut4nfzXAripIRWF3TL72/6JqgE KNhRKyRn0S6BidieSyHWzqJR3Roi/YNTvyXyLh6i6jtByb3FbnhYf/9olobDpj0E+kTemLrw owre85gwupSphqlzVSUAEQEAAYkCPAQYAQgAJgIbDBYhBLWdSQl7Z8Rdu8FppxslqLAV0J++ BQJfGgilBQkQjqBiAAoJEBslqLAV0J++j7cP/jEq8IXTyahDSPJxQpMKVDL24OBhgZZdmt8B AWFUIrlnaucZ8BXW8wYFnFr+76gSKkfArAXcxSol32aMKS3fW8EdIDw7nkdPuKJGY6dhzIZ5 HDRq/jNMLYHcqXB+0YuqpZ4VNGL3/gmgduBgyTx/cnfqOe7WG13V4qFRMNIrdsf2QdAeFl93 MirVJpokH3anHeh8fQkpWSCiIP7ejGN3Lld1pWdGXqpubj5z6R5208/acSpVs79JiQfaH3q0 cau9oYX0JRoW6iQpGNXlkfLFehCzsKks/m4CtMXMXtajakBmWuHxuebcfHpmz6F+9B3rHvai 5TjSmZe9KfjlDAsuksq4CP1kJOqTxg+e0Sup38b0C979lHpRIhwwl0znobT9EPnrjMd5yDZt 2CZGEAE0bzXWLSHcRDJnHu+jscCnowC18S7LL3X9Gmw8r+WUYmMQ0A8ZDDOB8Z5p9PIs2OAQ kBBsBWFb59KGjtAvFWFEm6/DRDlzXmANICwHC2G4aqn1G3DLSDzwfBfSYLs31dK5mDyzv51G ZJfgxbwTKcdoy6AEkUrzM3A1GP+NVfb/I2LCui+QOHfhfPFmV1OPpTPL77AsTXviA7l1iYMd BADv28GwZyay6Fd1Hp7rOXFI/Qx87++GwpEjpuSKcZihfnh2754ZSyZxim2wmMs6k12nYwvE
Message-ID: <10ed5aec-7e4f-b6d4-0564-613fd92ebf72@bluepopcorn.net>
Date: Wed, 26 Aug 2020 14:00:28 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <CAJ4XoYdR-kHARvkYjbbyqoEnx8YV5RP4x1z40M3-z9ap1ypcRg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------7603E66535EA77E05D339AF1"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/QN2ksAF95FG_yojqFlxM3owUbN4>
Subject: Re: [dmarc-ietf] third party authorization, not, was non-mailing list
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2020 21:00:38 -0000

On 8/26/20 10:54 AM, Dotzero wrote:
>
>
> On Wed, Aug 26, 2020 at 1:32 PM Doug Foster
> <fosterd=40bayviewphysicians.com@dmarc.ietf.org
> <mailto:40bayviewphysicians.com@dmarc.ietf.org>> wrote:
>
>     Are the weak signatures vulnerable to a replay attack?    I
>     thought that one of the reasons that DKIM signatures included the
>     whole body was to prevent the signature from being reused.
>
>      
>
>     DF
>
>
> Not particularly vulnerable. The requirement is that you have the
> "weak signature" plus the intermediary full DKIM signature. This let's
> the validator/receiver know that the originating domain knew that the
> intermediary might break the originating domains DKIM signature but
> the validator/receiver would have the DKIM signature of the
> intermediary. The "weak signature" is only validated against that
> specific message and headers it signed and that specific intermediary.
> It's not a generic/general signature.


It sounds like the weak signature is just a regular DKIM signature plus
the designation of the intermediary, and the "weak" part is that you
don't check the body hash against the body. Have I got that right?

-Jim

v2.23.0 | Report a Bug | By Email