[ietf-dkim] DKIM SSP: Security vulnerability when SSP record does
not exist?
Douglas Otis
dotis at mail-abuse.org
Mon Aug 22 10:41:19 PDT 2005
On Aug 22, 2005, at 8:35 AM, Scott Kitterman wrote:
>
> To summarize, you think that SSP is dangerous, won't do what it's
> proponents claim, and can't be fixed. Thus SSP and it's ilk
> shouldn't be dealt with by the working group. You believe that
> there are other, better ways to solve whatever problem it is that
> you are trying to solve.
>
> I, and I believe others, think that SSP is essential and that while
> DKIM signatures alone may have some value, the marginal utility for
> DKIM absent some expression of sender policy is low.
I don't think this adequately restates my view. For example, the
draft for the CSA record provides for domain-wide assertions that
demand out bound servers within the domain must have a CSA record.
This assertion is not tied to a mailbox-address, nevertheless the
assertion provides actionable value.
http://www.mipassoc.org/csv/draft-ietf-marid-csv-csa-02.html
The same type of domain-wide assertion, in the same manner, would be
possible without imposing a requirement that the signature be bound
to a header. A new domain-wide assertion (even perhaps by a CSA
record) could be that any domain's signature is demanded within this
domain. The CSA assertion could also indicate signatures by the
domain itself are demanded within this domain.
HELO verification could be considered a weaker form of DKIM
verification, but which can not be securely carried forward within
the message. HELO verification, in addition to being able to
mitigate subsequent lookups for domain-wide assertions, also provides
a significant level of DoS resistance not available with a
signature. HELO verification by a CSA record could also mitigate a
need to do DKIM revocation checks.
The difference of opinion is really whether there is value binding
domain-wide assertions to mailbox-addresses. This binding of mailbox-
addresses would be of little use once an "accountable domain" is
available and can be seen by recipients, or used with manual
filtering rules. Attempts to bind signatures through domain-wide
assertions with mailbox-addresses will create unintended
administrative issues sure to stifle DKIM acceptance, rather than
acting as motivation.
-Doug
More information about the ietf-dkim
mailing list