[ietf-dkim] draft-fenton-dkim-threats-00

[Douglas Otis]

On Oct 6, 2005, at 10:32 AM, Jim Fenton wrote:

> Douglas Otis wrote:
>
>
>>
>> Avoiding repudiation was not heeded within the DKIM draft  
>> abstract  that explains intent. : (
>>
>
> I really don't understand the above statement.


The DKIM abstract makes similar claims and _states_ repudiation is  
the form of protection offered.  It will be very difficult to defend  
that position in my view.


>> A reputation mechanism can be safely established to accrue  
>> behavioral  information of the signer.  How can reputation be  
>> extended to include  "addresses" and "identities"?  What  
>> protection is possible without  reputation assessments?
>>
>> A DKIM signature in fact _does_ guarantee the accountability of  
>> the  signer.  It simply does not guarantee their behavior.  That  
>> is why  reputation in the form of white-lists, accreditation, or  
>> reputation  services is _required_.  Reputation is _not_ an  
>> enhancement.
>>
>
> The threat analysis characterizes the bad acts as the spoofing of  
> email addresses.  It does not consider bad behavior to be one of  
> the bad acts that we're guarding against.  Perhaps that is unclear  
> from the wording "is not effective against the use of  addresses  
> they control."  What I mean to say is that the use of addresses is  
> out of scope for DKIM, rather than that DKIM is trying to solve  
> that problem but doesn't manage to.


Your language seems to miss an aspect with respect to reputation at  
least.  Not that DKIM directly prevents bad behaviors which includes  
the spoofing of email addresses, it is who does DKIM hold  
accountable?  Mailbox-addresses should be declared as "unprotected"  
with a possible exception of where a domain asserts they sign all  
their own mail.  How this assertion is made and applied is a  
different issue for later.  Within this limitation as a means to  
avoid the misapplication of reputation, it should be safe to claim  
some protection by way of repudiation.


>> By attempting to extend DKIM to include the protection of  
>> "addresses"  in the generic sense, there is danger entering into a  
>> quagmire.   Nothing can be accrued with respect to the "address"  
>> in terms of bad  behavior without implying the signer is also not  
>> trustworthy.  This  creates a serious paradox.
>>
>> Only when the "address" and the signer are the same, would it be   
>> possible to safely make assertions of behavior, but then of  
>> course  extending assertions of behavior to the "address" would  
>> not be  required.  I see little within the threat analysis that  
>> clarifies  this limitation.  I am not comfortable with promises  
>> that "address"  protection is limited to just repudiation.
>>
>
> I would go further than that to say that even when the "address"  
> and signer are the same, it still isn't possible to safely make  
> assertions of behavior with DKIM.  You are correct that reputation  
> and/or accreditation systems would be required to do so, but that  
> this analysis (and the WG charter we have been considering) do not  
> deal with that part of the problem.

I agree with this to some extent, however the threat analysis should  
consider what form of protection is enabled by DKIM.  Details of the  
implementation of reputation are likely best handled by a different  
WG.  Nevertheless, there must be some clarity regarding what form of  
protection is being enabled by DKIM.  Remaining silent on this issue  
has not added the requisite clarity.  I see this document providing  
greater value when these issues have been clarified.  DKIM only  
supports repudiation, and reputation except when attacked?  This  
seems to be points needing better clarification.

-Doug