[ietf-dkim] Re: is this a problem or not?

[Douglas Otis]

On Oct 28, 2005, at 5:11 PM, Frank Ellermann wrote:

> Stephen Farrell wrote:
>>
>> 1. Alice works for Alice-Corp who publish a policy to the effect
>>    that they and only they sign all their outbound mail.
>> 2. Alice posts a message to Foo-list which signs the message
>>    itself and drops Alice's signature.
>> 3. Bob receives the message from the Foo-list, signed by the list.
>> 4. Bob looks up Alice-Corp's ssp assertion and considers the
>>    message as having a bad signature.
>> 5. In order to allieviate this problem Alice-Corp are forced
>>    to weaken their policy to allow 3rd party signatures to be
>>    accepted by Bob.
>>
>> If the above is possible, how should/can it be avoided?
>>
>
> Never ever sign anything that is already signed.  Or at the
> very minimum don't "drop" signatures.
>
> It's the point of DKIM to find some "accountable" party as
> near to the sender/originator/author (pick what you like)
> as possible.  Therefore step 2 in your scenario is strange.

Removing or over-writing signatures (as reviewed in the multiple  
signature section of my threat review) would ensure the list does not  
expose other domains to replay abuse.  A good thing.  I even took  
this further and suggested all Administrative Units may wish to over- 
write verified signatures and replace these signatures with a  
signature that by convention is never accepted outside the  
Administrative Unit.  If the subject lines and message content were  
intentionally changed, and the list-server wished to permit a name  
basis for accepting messages, then signing all outbound messages  
would be a solution.  Ensuring the initial signature no longer  
verifies could be considered a good practice.  This would therefore  
handle all messages that have been submitted and also establish a  
channel where replays would not be a concern.

> Why does the list do this, because it manipulated Alice's
> mail ?  Then Bob's result in step 4 is correct, this mail
> was "forged" (= the "list" might be some attacker, social
> engineering abusing Alice's address).

If the list-server has a good reputation, why does the reputation of  
every subscriber to this list need to be questioned?  Why can't the  
list be held accountable for their messages?

> If Alice and Bob insist on using a list that manipulates
> mail they have to white list it.  Or find a new list admin
> with some clue to stop this abuse.

What abuse?  Why is white-listing needed?

>
> Step 4 means "DKIM working as designed", it's a feature
> and no bug.

Break everything is a feature?  Limit email-addresses to a single  
provider is a feature?

-Doug