[ietf-dkim] DKIM Threat Analysis v0.06

[Jim Fenton]

Arvel Hathcock wrote:

> Here's what I think.
>
>> 1.  Who are the bad actors that DKIM is trying to thwart?  Put another
>> way, if DKIM is deployed, what bad actors will have to find a different
>> way to perform their bad acts.
>
>
> The bad actors are anyone who would use a domain name in an identity 
> header of an email message without authorization from the domain 
> owner.  The same will have to discover a new means of doing so.

There are different classes of bad actors:  some only want to cover 
their tracks and will send mail using arbitrary addresses, others want 
to use specific domains (either spoofing established domains or using 
lookalikes), and yet others will want to exploit existing social 
relationships (gleaned from address books) in order to try to get 
through whitelists.

>
>> Also, what resources do these bad actors have at their disposal?
>
>
> I assume "resources" refers to the set of conditions the bad actor 
> finds which enables him to achieve his goal.  These are primarily (a) 
> the wide-open unauthenticated nature of SMTP which lets anybody claim 
> they are anybody else (b) the wide-open unauthenticated nature of 
> RFC-2822 which has no inherent mechanism for restricting the use of 
> identity headers to the domain owner (c) the relative lack of use (for 
> whatever reason) of stronger security measures such as S/MIME and PGP 
> and (d) the ubiquitous habit of and conditioning imposed through the 
> display of the RFC-2822.From identity header to email consumers in 
> preference to any other identity.

I think by "resources" what he means is what capabilities does the 
attacker have.  Can the attacker mount a man-in-the-middle attack?  Can 
the attacker corrupt the key storage?  Can the attacker pretend to be 
coming from a different IP address (if that's even relevant)?  Does the 
attacker have access to signed messages which might be modified ?  Can 
the attacker cause some arbitrary message to be signed which they might 
be able to exploit?

There is probably not a single answer to many of these questions, 
because there is more than one class of attacker here.  So we need to 
describe which of these we intend to address and which we don't.  An 
attacker that can trick a registrar into changing the DNS entries for a 
domain to their rogue DNS servers is one we don't intend to address, for 
example.

>
>> 2.  Where are these bad actors in the protocol environment?  Where in
>> the email system do they pop up to perform the acts that DKIM is trying
>> to prevent.  Again, different bad actors may appear at different places.
>
Some of the "places" that he refers to might be whether the bad actors 
are within the originating domain, the recipient's domain, whether they 
might pose as (or attack) mailing lists, or whether they're out in 
interdomain space.

>>
>> 3.  What are the bad acts that DKIM is trying to thwart?  The first two
>> questions are really background for this question.
>
>
> These are so related it's hard for me to separate.  Unauthorized 
> domain use is a means to several ends.  The 'end' will determine 
> where, in the email delivery chain, the bad actor "pops up".  When the 
> goal is to trash the reputation of a domain owner in the eyes of an 
> email user or ply some scam part of which requires the unauthorized 
> use of a domain to lend it credibility, the "pop up" is the MUA of an 
> email user and the effect takes place in the mind of that user.  When 
> the goal is to thwart filtering agents or attempt to manipulate a 
> receiving domain's incoming email policy in some way the "pop up" is 
> at the point wherein those processes are invoked and the effect is in 
> reducing or rendering useless the effectiveness of those processes.

Sure; we need to distill down the list of bad acts as much as possible 
in order to make the discussion as clear and unambiguous as possible.  
The trashing of domain reputations and such is a second-order effect.

-Jim