Re: [Exim] Yahoo DomainKeys...

--
James P Roberts wrote:
> > To prevent replay attacks?! Otherwise a spammer could take the signed
> > header lines and add another body. At least I would, if I were a
> > spammer. ;)
> So, include a time/date header, to be added by the sending MTA just prior to
> sending it, and have the receiving MTA check it after decrypting to make
> sure it is sufficiently close to the current time?

How do you define "sufficiently close"? 1 hour? 12 h? 1 day? 4 days? 1
week? 1 month? In any case, a spammer is likely to get hands on a valid
"header" -- they do read mailing lists.

Timestamp comparison are only practical in p2p connections with well
syncronized clocks.

> If the sending MTA
> retries, it should delete/replace the previous header with a new one at each
> retry, just prior to encrypting.

SMTP is a store and forward protocol. We do have multiple steps (backup
MX, DMZ relays ...) in the delivery process without access to the
private key.

> Heck, for that matter, include the sending MTA IP address, a copy of the
> original sender's domain, and the original sender's IP address, in the
> encrypted time/date header. Call it a "domain key header" or something.
> Just brainstorming...

It sounds quite awkward and complicated. I won't try to understand your
plan completely as the starting points are not well thought out.

Andre
--
Beware of Geeks bearing gifs.
--
Content-Description: Digital signature

[ signature.asc of type application/pgp-signature deleted ]
--