IETF Logo Mail Archive

[Ietf-dkim] Re: Malicious Modification was: My concerns

John Levine <johnl@taugh.com> Fri, 18 April 2025 18:26 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: ietf-dkim@mail2.ietf.org
Delivered-To: ietf-dkim@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5FDEB1E3F652 for <ietf-dkim@mail2.ietf.org>; Fri, 18 Apr 2025 11:26:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.4
X-Spam-Level:
X-Spam-Status: No, score=-4.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="awY/Ig1c"; dkim=pass (2048-bit key) header.d=taugh.com header.b="dCNqwjs/"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LCvQ8JmECmWY for <ietf-dkim@mail2.ietf.org>; Fri, 18 Apr 2025 11:26:27 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id CD8D71E3F64D for <ietf-dkim@ietf.org>; Fri, 18 Apr 2025 11:26:27 -0700 (PDT)
Received: (qmail 56945 invoked from network); 18 Apr 2025 18:26:27 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding:cleverness; s=de6f68029953.k2504; t=1745000777; x=1745346377; bh=/YkSkr87DG1t9sSgNB7PoKtVYujMZEC5KFuxJh7o5Ik=; b=awY/Ig1cYKKCvRXfviqoEcgeBgvaw0m5txs/GhU8Aa5r+4OF3UixSbBSdpeIak+xJusOr12JVicNKYLjk5xKql6cgaD5vkW/BBRWIFVwXsGdnHJ30KvsvT69KWqF1nBn9bID9opyZc9UGI9+Go0jJ0JnPcea4G7dNpUDs1WdhKcf9br9m/b7Ju7XbisZWANHMnzSNDh0e0PIuN1NrtwSy1uO7fesgGla1VJOx6HlcpZeiY0mUWQLTkISVrjYTaGAE0jNpo/munrqZzHhoGwGafNc5KSpxdH3Xw46gAoOvhl68PDQUo0pMQOsQZaWPGzxBfgcrsgXi/DCJRKeUICrow==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding:cleverness; s=de6f68029953.k2504; bh=/YkSkr87DG1t9sSgNB7PoKtVYujMZEC5KFuxJh7o5Ik=; b=dCNqwjs/jzl6tqNWcz4EWTBAfyXARghgDXOpmucFB86lt8hPkouv0/uAIxvI5yKeeYlQNttKUPS9ceccx7zMpj2yrxTryuCsBiXzOOyCoPpmkcRZtOj+nOn6vy7D6fowO21k8wb5hl8LfwQcPGVqd5wjhcrvEkApqbC9YoBOpQXh5Xw7fw2BSTBkQ701RJRLtLiaEiPE48L4UhLL4aJf6GMvNtQ0pUWk9nbea/3urt6aGyFxXk1yqBTMi3sO5owRZ10OG98CSOeYFJgkIP4CpEqUEcj5e3RoSyFZu2mafq9YwTnvD0mQ67wb9P9HPlx7l+67jcEyvEeCTg0vSdr2vw==
Received: from ary.qy ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 18 Apr 2025 18:26:27 -0000
Received: by ary.qy (Postfix, from userid 501) id CED8CC53D658; Fri, 18 Apr 2025 14:26:26 -0400 (EDT)
Date: Fri, 18 Apr 2025 14:26:26 -0400
Message-Id: <20250418182626.CED8CC53D658@ary.qy>
From: John Levine <johnl@taugh.com>
To: ietf-dkim@ietf.org
In-Reply-To: <ea4f514b-cdbd-467a-b90c-6c741b758939@tana.it>
Organization: Taughannock Networks
References: <eb34b668-742b-4d31-af37-fed99f6f6f10@fahq2.com> <zN0v1CDB$7$nFA5D@highwayman.com> <bb288a78-c7b4-4455-b9d5-fbc2e73d8f32@fahq2.com> <loa6cVG78$$nFAY3@highwayman.com> <ea4f514b-cdbd-467a-b90c-6c741b758939@tana.it>
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Message-ID-Hash: 22LA5ZQUN7LFK75IXHPIKWW5BB45A5HY
X-Message-ID-Hash: 22LA5ZQUN7LFK75IXHPIKWW5BB45A5HY
X-MailFrom: johnl@iecc.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ietf-dkim.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: vesely@tana.it
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Ietf-dkim] Re: Malicious Modification was: My concerns
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/rM-3DmXaZxexUCj4VuFw7OzKtjg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Owner: <mailto:ietf-dkim-owner@ietf.org>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Subscribe: <mailto:ietf-dkim-join@ietf.org>
List-Unsubscribe: <mailto:ietf-dkim-leave@ietf.org>

It appears that Alessandro Vesely  <vesely@tana.it> said:
>On Wed 16/Apr/2025 21:04:27 +0200 Richard Clayton wrote:
>> In message <bb288a78-c7b4-4455-b9d5-fbc2e73d8f32@fahq2.com>, Larry M. Smith <ietf.org@fahq2.com> writes
>>
>>>Experience has shown that threat actors are willing to go to great 
>>>lengths to have access to a large pool of resources to abuse and then 
>>>rapidly discard.[1]  Knowing what object to apply poor reputation to for 
>>>the last event often doesn't help for future ones.
>>
>> Indeed so, but reputation systems (because once again to state the 
>> obvious, protocols cannot prevent bad email, but they can provide tools 
>> for handling it efficiently) may take the view that a brand-new identity 
>> that has acted as an intermediary to alter some email is not especially 
>> trustworthy...
>
>This position leads to ARC-style authentication, where one must trust that the 
>changes are benign.
>
>DKIM2 has change tracking.  Can't we tell whether a change is evil or not?

Um, I think RFC 3514 applies here.

R's,
John

v2.46.0 | Report a Bug | By Email | System Status