[ietf-dkim] SSP security relies upon the visual domain appearance

Douglas Otis dotis at mail-abuse.org
Tue Nov 22 18:22:30 PST 2005 

On Nov 22, 2005, at 4:25 PM, Hector Santos wrote:
>
>>> How about the rights of the server? of the domain owner?
>>
>> The signing-domain would be that of the administrative-unit
>> introducing the message.  Why is that not an adequate basis for
>> acceptance?
>
>
> What's a "Administrative Unit?"

It is used in the draft, although Dave does not like the term either.
  2.  Email Actor Roles
http://www.ietf.org/internet-drafts/draft-crocker-email-arch-04.txt


> What about the rights of the server, domain, the owner of the email  
> domains being exploited?

Requiring an email-address owner to "authorize" who may sign their  
messages exposes them to the risks of the authorization itself.  The  
authorization may be used to unfairly accrue behavior due to the  
"junk" they inadvertently authorize.  This should sound familiar, as  
it is a scheme already in place.  The email-address owner may quickly  
lose their right to have their messages accepted when authorizing  
third-party signers.  This breaks current email practices and thus  
should win broader consensus before moving forward.  Considering that  
SSP is a futile effort and that there are better methods to avoid  
spoofing, why should it?

For example, when this list implements a DKIM signature without other  
changes, then third-party signatures will need to be permitted.  Why  
is the signature of the list-server alone not an adequate basis for  
acceptance?  Email-addresses should not be held accountable unless S/ 
MIME or OpenPGP provides an expectation that the email-address owner  
and the signer are one in the same.

Consider a scheme where a prior correspondent is highlighted as the  
means to avoid spoofs of all sorts (including look-alikes).  Just the  
existence of a DKIM signature would greatly improve filter heuristics  
without the authorization scheme.  Deterministic criteria can be  
asserted without an authorization record, by the way.  When only  
'o=!' records exist, the overhead will be fairly high, especially for  
the spam that uses a series of wildcard labels in their addresses to  
avoid filters.


>> Do you think that a worm will not adapt and avoid "deterministic"
>> constraints?
>
> But even if it did, it would be a lot better than your ""Take The  
> First Strike" ideas where there is no incentive for adaptation.

If they have adapted and comply with your "deterministic"  
requirements, how have you avoided the "Blitz" attack or any other  
strategy?  Why not depend upon the signing-domain as a basis for  
acceptance?  This would anticipate network exploits as well as  
meeting your deterministic criteria.  This puts you two moves ahead.


>
>> As a child, you may have enjoyed the game of tic-tac-toe.  Once you
>> better understood the game, you simply decide not to play.  When an
>> opponent also knows the game, you become aware there is no point.
>
> I hope you realize the nonsense point you are trying to make also  
> applies to
> both players.  Once the bad actor knows there is no way to win, he  
> will stop
> trying just as well.

When your deterministic criteria can be met by the abuser, you have  
failed to win.  They win when you don't.  This is an expensive game  
when thousands of applications must be rewritten for a no-win scenario.

-Doug

More information about the ietf-dkim mailing list