[ietf-dkim] Not exactly not a threat analysis
dotis at mail-abuse.org
Mon Aug 15 22:58:54 PDT 2005
On Mon, 2005-08-15 at 21:53 -0500, Earl Hood wrote:
> On August 15, 2005 at 16:33, Douglas Otis wrote:
> > Making an anti-forgery claim spills over into the local-part.
> I'm not sure about this statement. There appears to be two types
> of forgery: domain-level and address-level. Are you saying that
> effective domain-level forgery protection is not possible without
> providing address-level forgery protection?
Verifying an accountable domain will not prevent a mailbox-address from
being forged (falsified). Asserting that the From mailbox-domain must
be signed by the same domain, or even a sub-domain, may reduce possible
sources of forgery, but it does _not_ prevent forgery, such as the
falsification of the local-part. There is a long list of deceptive
tactics encompassed by forgery, where the mailbox-address is likely a
small concern. Forgery and related criminal deceptions may include
payloads carrying Trojans or links to deceptive web sites.
Such protection is outside of DKIM. If the domain is large and depends
upon the network address to authenticate users, then claims that DKIM
prevents forgery would be irresponsible, even when the From mailbox-
domain is restricted to being signed by the same domain. While there
_may_ be value in making these types of assertions to limit sources of
potential abuse, these assertions are unrelated to DKIM. DKIM provides
an accountable domain that can take corrective action when there are
reports of abuse, such as when there is a problem with forgery.
Domain assertions for the naive user _may_ enhance their protection, but
be cautious about what is actually being provided by these assertions.
There are risks when creating false expectations. Even with these
assertions in place and rigorous controls established by the signing
domain, there are many avenues where these protection schemes are
trivially bypassed through the use of deceptive headers, such as pretty
names or emphasis placed upon a different header by the MUA. Displaying
the accountable domain name without these assertions would be a far
Considering anti-forgery or anti-phishing out of scope for DKIM would
increase a focus upon what DKIM is actually providing. DKIM provides an
accountable domain. That is enough. There are a few areas where this
domain and the signing process remain exposed. If these exposures are
not addressed, this may prevent DKIM from offering real value in
curtailing abuse and achieving wide deployment.
More information about the ietf-dkim