[ietf-dkim] Re: is this a problem or not?
dotis at mail-abuse.org
Fri Oct 28 18:48:21 PDT 2005
On Oct 28, 2005, at 5:11 PM, Frank Ellermann wrote:
> Stephen Farrell wrote:
>> 1. Alice works for Alice-Corp who publish a policy to the effect
>> that they and only they sign all their outbound mail.
>> 2. Alice posts a message to Foo-list which signs the message
>> itself and drops Alice's signature.
>> 3. Bob receives the message from the Foo-list, signed by the list.
>> 4. Bob looks up Alice-Corp's ssp assertion and considers the
>> message as having a bad signature.
>> 5. In order to allieviate this problem Alice-Corp are forced
>> to weaken their policy to allow 3rd party signatures to be
>> accepted by Bob.
>> If the above is possible, how should/can it be avoided?
> Never ever sign anything that is already signed. Or at the
> very minimum don't "drop" signatures.
> It's the point of DKIM to find some "accountable" party as
> near to the sender/originator/author (pick what you like)
> as possible. Therefore step 2 in your scenario is strange.
Removing or over-writing signatures (as reviewed in the multiple
signature section of my threat review) would ensure the list does not
expose other domains to replay abuse. A good thing. I even took
this further and suggested all Administrative Units may wish to over-
write verified signatures and replace these signatures with a
signature that by convention is never accepted outside the
Administrative Unit. If the subject lines and message content were
intentionally changed, and the list-server wished to permit a name
basis for accepting messages, then signing all outbound messages
would be a solution. Ensuring the initial signature no longer
verifies could be considered a good practice. This would therefore
handle all messages that have been submitted and also establish a
channel where replays would not be a concern.
> Why does the list do this, because it manipulated Alice's
> mail ? Then Bob's result in step 4 is correct, this mail
> was "forged" (= the "list" might be some attacker, social
> engineering abusing Alice's address).
If the list-server has a good reputation, why does the reputation of
every subscriber to this list need to be questioned? Why can't the
list be held accountable for their messages?
> If Alice and Bob insist on using a list that manipulates
> mail they have to white list it. Or find a new list admin
> with some clue to stop this abuse.
What abuse? Why is white-listing needed?
> Step 4 means "DKIM working as designed", it's a feature
> and no bug.
Break everything is a feature? Limit email-addresses to a single
provider is a feature?
More information about the ietf-dkim