[ietf-dkim] DKIM SSP: Security vulnerability when SSP record does not exist?

[Scott Kitterman]

Douglas Otis wrote:
> 
> On Aug 22, 2005, at 11:02 AM, Scott Kitterman wrote:
> 
>> So to narrow my previous attempt at a summary, you think that  
>> domain-wide assertions cannot be accurately made for mail  addresses, 
>> but that it can for HELO/EHLO?
> 
> 
> 
> Accuracy is not the issue.  While a domain-wide assertion may  
> accurately issue requirements, the value of the assertion should be  
> assessed against intended goals.  Part of that assessment should  
> include whether a goal is reasonably achieved, and weighed against  
> administrative complexity and a potential for inordinate use of DNS.   
> An assertion that HELO must verify with a CSA record where the same  CSA 
> record makes the assertion, achieves the goal of assured  verification 
> with low administrative complexity and low use of DNS.

It would seem to me then that effictiveness and usefulness of domain 
wide sender policy assertions is a matter for proper design.  I think 
that saying that something must be well designed is not a reason to put 
it out of scope for the working group's initial efforts.

> Binding a mailbox-address or mailbox-domain to a domain signature is  
> not a goal, it is a mechanism.  What is the intended goal?  What is  the 
> selection process?  What level of administrative effort will this  
> entail?  What level of DNS interaction is required?
> 
Good design questions for the group to work on once it's chartered.

> Such a domain-wide assertion could inhibit a zombie system from  
> purporting to offer valid signatures when signing for other domains.   
> It could also inhibit a zombie system from sending without a  
> signature.  What has been excluded?  A goal of preventing  unauthorized 
> sending of email is accomplished with low administrative  complexity and 
> low use of DNS.
> 
Yes.  An excellent reason to include such work in the charter.

> In the same manner many use self-signed keys when accessing servers  
> using SSH, the same type of local manual binding is possible once  there 
> is a domain signature.  Should specific communications be  important to 
> the recipient where they wish to be alerted to  _possible_ spoofing of 
> these individuals or roles, perhaps the MUA  could offer a button to 
> remember the mailbox-address/signing domain/ opaque-identifier 
> bindings.  Any other message using that same  mailbox-address that does 
> not include this binding would cause a  warning.  While this approach is 
> not iron-clad, it could help  eliminate many of the common exploits.  
> Often the recipient knows by  other means whether this is a valid 
> message to permit such initial  assessments.

So you think that such a relationship can be established, at least in 
part, but that it's not suitable to put it in DNS?
> 
> I have yet to hear your explanation how abuse can be determined in  
> advance.
> 
I will say again that I don't think that's the point.  The point is to 
detect forgery.  Whilst strictly speaking operating outside the domain 
owner's stated sender policy isn't necessary exactly congruent with 
forgery, I'll take that as close enough.
> 
>>   And that it will be up to users to determine the relationship  
>> between the signing domain and the e-mail addresses and evaluate  the 
>> legitimacy of the message?

> When DKIM becomes widely deployed (which assumes stumbling blocks  were 
> not created), then simple features such as single click  recording of 
> typical mailbox-address/signing-domain/opaque-identifier  bindings would 
> make establishing a strong relationship a rather  painless task.  It 
> would also instill confidence without making email  more complex to use 
> or entail a major portion of the Earth's  available ram to support DNS.
> 
It sounds to me like that's a long way of saying yes to my question.  Is 
that right?

Scott Kitterman