IETF Logo Mail Archive

[Ietf-dkim] x= and DKIM replay

Evan Burke <evan.s.burke@gmail.com> Wed, 02 March 2022 19:42 UTC

Return-Path: <evan.s.burke@gmail.com>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A6AF3A0C2A for <ietf-dkim@ietfa.amsl.com>; Wed, 2 Mar 2022 11:42:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n6IqsqoA8spb for <ietf-dkim@ietfa.amsl.com>; Wed, 2 Mar 2022 11:42:38 -0800 (PST)
Received: from mail-oo1-xc2e.google.com (mail-oo1-xc2e.google.com [IPv6:2607:f8b0:4864:20::c2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A09C3A0A5E for <ietf-dkim@ietf.org>; Wed, 2 Mar 2022 11:42:35 -0800 (PST)
Received: by mail-oo1-xc2e.google.com with SMTP id h16-20020a4a6f10000000b00320507b9ccfso3127369ooc.7 for <ietf-dkim@ietf.org>; Wed, 02 Mar 2022 11:42:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=inU7CDypjS4ujgQfx8AKDBZdrBrhXQYJFRWveUwM0ms=; b=U0XSlR2+HfcWUcBbwgCKPbp7GYOjqq1rMExdsGN2TR1JIozNpR3bx9YBm515f0nrSF 3a6rbq3YBndcuHf4O5Z132g6YyMl8Sajv1Kw9LBotypjiN7EW/s7veYHWGsqzUNSMt9b jfiY3c3k+44GcIpzspRsgqLQ7Oji5TVdEsT4EIutrYPGzayIHnGEKv0Wst2eTY3WjaHU CCnWr/BmWGxlAJlGtr5h6UsNMASuYLXmXyWQWfu4HzdhhptykPGDSyxGDTXwoUPhPYfu sNDn0cekirsmBbRZ+3bxPvhHVrV3xbJrPCp+Ntc7sFDeChDVj58r8swgGJpHSHdBIBws moTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=inU7CDypjS4ujgQfx8AKDBZdrBrhXQYJFRWveUwM0ms=; b=sNmtGms1gmNcJrgppF1X8+RQUJbJWXfjE312v1OWwcnIC/YeT00LnN011StZQDnXP/ TqlAH+70EdbOLZsuqrPpNUOPgKIlgXkGv47/DkDmlkY9b4Lr4mnWlZyqHKhkh8lXAcSl LGqb2Ezbyu8Emm6o++DGwerBGYYOC6UPUGkrNYFhbXAuYpVhMTIQ8JSVd+6/Qu3/C2Nr 7MnFyvF9gL2cPIEMMa0GClsof7QN8FJyM/LY3mubTf62sYye0K05laeXpEkBbhHc3kEY gQlVcSL5KBrkU64aGDTApMdrB0Xrq4IEglaYDvzASjiuUEQ5GJjZ60zIh6t3TZgTnRhe xF0Q==
X-Gm-Message-State: AOAM533c0RsNheg4cGOOTfNfBnPDmjMW7pMWKiZaBVlxRRXtun68Y3rD OxADNAIfBaM8cYYwuhWtQBy10FJBwjS/1k5S6TX1by4Ol2o=
X-Google-Smtp-Source: ABdhPJx9tEzOPayGCCyAGZ5/nJozP21w5UXehOGRPEACiNaYwcSn1+msOs7bQ9apQGncGsa+EWYA7Bb9dYev1IjUua0=
X-Received: by 2002:a4a:3785:0:b0:2dc:4e31:dd9f with SMTP id r127-20020a4a3785000000b002dc4e31dd9fmr16349295oor.58.1646250154155; Wed, 02 Mar 2022 11:42:34 -0800 (PST)
MIME-Version: 1.0
From: Evan Burke <evan.s.burke@gmail.com>
Date: Wed, 02 Mar 2022 11:42:23 -0800
Message-ID: <CAPxNA7gHd7NPi8fZk3OgTY5H7ewLVBu9HSpJLMrR2v8tnfe7+g@mail.gmail.com>
To: ietf-dkim@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a663ae05d9417b40"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/MbTGFKJXBIk2HI6ZW1rkCgDem8A>
Subject: [Ietf-dkim] x= and DKIM replay
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Mar 2022 19:42:40 -0000

Hi,

I'm reading the section in rfc6376 on the x= tag, specifically -

INFORMATIVE NOTE: The "x=" tag is not intended as an anti-replay defense.

Could anyone shed some light on the reasoning for this, by chance? I note
that the spec for x= says "Signatures MAY be considered invalid [if past
expiration]", which isn't particularly strong guidance for how verifiers
should behave, but from my perspective, signature expiration could in
theory be an effective tool (among other defenses) to help reduce the
viability of replays.

Thanks,
-Evan

v2.23.0 | Report a Bug | By Email