[ietf-dkim] DKIM SSP: Security vulnerability when SSP record does not exist?

[Jim Fenton]

Earl Hood wrote:

>In the DKIM SSP draft, the following is stated:
>
>  If the Sender Signing Policy record does not exist, verifier systems
>  MUST assume that some messages from this entity are not signed and
>  the message SHOULD NOT be considered to be Suspicious.
>
>I'm wondering if this a safe policy to assert, especially in the
>context of past SSP discussions on ietf-mailsig where the SSP may
>need to be examined always, and not just for invalid signatures.
>  
>
It's all a matter of precedence, whether one should believe in the 
signature or in the signing policy in the event of a conflict between 
the two.  If you believe (as I do) that any attacker who can get a valid 
signature for the OA on a message can just as easily override the SSP 
for that domain, then the SSP doesn't add any value when you have a 
valid OA signature.

>Why is it not safe?  Because a malicious domain can send out messages
>with forged rfc2822.From addresses where the domain portion does not
>have any SSP defined.  Therefore, when a DKIM verifier checks the
>SSP for rfc2822.From, the message would not be considered suspicious
>since no SSP record is available.
>  
>
But how would they get a valid signature on behalf of the OA?  Or are 
you saying that one should treat the message differently from an 
unsigned message because there is an invalid OA signature present?

There isn't any reason to apply a signature unless you know it will 
verify correctly.  Conversely, there isn't any reason to downgrade a 
message simply because it has an invalid signature.

-Jim (theoretically on vacation, so responses will be slow)