[ietf-dkim] Fenton-DKIM-Threat-02 3.1. Use of Arbitrary Identities
fenton at cisco.com
Thu Jan 5 15:41:39 PST 2006
Douglas Otis wrote:
> Perhaps this can help with context.
[very good chart removed for brevity]
> This chart is not finalized, but the direction raises serious
> concerns. This chart appears to be an attempt to hold the email-
> address domain owner culpable. It is also disheartening to see the
> email-address domain owner offers a reporting address, but not the
> signer. There are alternatives to SSP, but following this direction...
The chart does not hold anyone culpable. When a message is received
with a valid signature, the signer is acknowledging that the message
came from or through them. [We should really work out the wording on
this: do they "take responsibility"? Are they "accountable"? But I
digress.] What SSP does is to strengthen what can be said of a message
without a valid signature: it gives the email-address domain owner (to
use your term) or originating-address domain owner (to use mine) the
ability to assert that they didn't send the message. So it makes them
less culpable, not more.
It's true that there is no reporting address associated with the signer
(there is the n= (notes) field in the key record, but no guidance about
putting a reporting address there). That is perhaps something that
should be added; do you think it belongs in the key record or in the
> When reputation of the email-address domain owner takes precedence
> over that of the signer, this could coerce the authorization into
> becoming "closed" ('!'). To lessen disruption caused by the "closed"
> authorization, the PRA algorithm could be used. With Jim suggesting
> Sender-ID may solve the replay issue, this algorithm will need to be
> licensed anyway. Any "open" authorization offers no protection for
> either the email-address domain owner or the recipient whatsoever
> anyway. (It would seem the protection being sought is for the
> provider.) Being culpable for authorization takes the burden of
> reputation the provider would normally carry and places the
> reputation burden onto the hapless email-address domain owner,
> perhaps in the form of user-feedback.
The coercion you describe depends on how the reputation system
operates. It's unwise to assume that it operates under any particular
set of rules.
With respect to the replay issue, I only want to point out that DKIM
does not need to operate in a vacuum. I do not want to tie it to any
other message authentication technology.
The "hapless" email-address domain owner has the option of not
publishing a contact address (r= in the SSP is optional).
> 3.1. Use of Arbitrary Identities
> DKIM is effective in mitigating against the use of addresses not
> controlled by bad actors, but is not effective against the use of
> addresses they control.
> This effectiveness would be dependent upon the use of '!' (EXCLU)
> authorization. Such setting however would be incompatible with
> several practices. To be compatible with today's common practices,
> authorizations would need to be '~' (NEUTRAL) or "open-ended."
> It would seem the statement "is effective" should be changed to "may
> be effective only when the '!' authorization is being employed. This
> '!' authorization is not compatible with many possible uses."
This paragraph is talking about addresses controlled by bad actors. The
point is that bad actors that own particular domains can sign messages
(i.e., you can't use the presence of a signature to say that a bad actor
didn't originate it). It has nothing to do with SSP.
More information about the ietf-dkim