[ietf-dkim] Fenton-DKIM-Threat-02 3.1. Use of Arbitrary Identities (and SSP)

[Douglas Otis]

On Jan 5, 2006, at 3:41 PM, Jim Fenton wrote:

> Douglas Otis wrote:
>
>> Perhaps this can help with context.
>>
> [very good chart removed for brevity]

This chart also needs to be updated to remove the '?' qualifier I  
believe.  As I indicated, the chart still raises concerns.  Having a  
signature without a policy is provided a lower rating than not having  
a signature.  The same is true for 3rd-party signatures.  This is  
dunning those without policies and discounting the signer.  That is  
being coercive.  This is bad as publishing the SSP record also  
increases the exposure to those administrators willing to equivocate  
about source identifiers.  Having an "open" authorization increases  
risks in those cases.  The chart should assume the sender is  
intelligent and publishes nothing in these cases.  There should be  
only two policies possible '!' and '.'.   Anything other policy is  
foolish.  The rating scheme should emphasize the signer over the SSP  
record, but when paired down to just these two policies, that  
situation is resolved.


> The chart does not hold anyone culpable.

Spend a bit more time studying the matrix.  Why demerits for not  
having a policy or for using third-party signatures?  Why is the  
email-address domain owner (I don't want to assume they are actually  
the originator) the entity publishing a contact?  There has been at  
least a solid two years of arguing (not with you) that authorization  
is not authentication, but this chart seems to be based once again  
upon this false assumption. : (


> When a message is received with a valid signature, the signer is  
> acknowledging that the message came from or through them.

The terminology should be specific.  "Only the signing-domain is  
accountable for the message."


> [We should really work out the wording on this:  do they "take  
> responsibility"?  Are they "accountable"?  But I digress.]  What  
> SSP does is to strengthen what can be said of a message without a  
> valid signature:  it gives the email-address domain owner (to use  
> your term) or originating-address domain owner (to use mine) the  
> ability to assert that they didn't send the message.  So it makes  
> them less culpable, not more.

This statement assumes the authorization is '!' which breaks the way  
email works.  Messages to this list would be lost for example.  For  
normal uses, SSP does not offer one iota of protection.  Of course,  
when the DKIM signature is used as a basis for recognition, no  
authorization is needed and yet protection is still be afforded. : )


> It's true that there is no reporting address associated with the  
> signer (there is the n= (notes) field in the key record, but no  
> guidance about putting a reporting address there).  That is perhaps  
> something that should be added; do you think it belongs in the key  
> record or in the signature itself?'

Perhaps it would make sense to establish a convention, DKIM- 
POSTMASTER@ perhaps.  If this seems too rigid, perhaps an entry in  
the key, but this makes the key even larger.  Adding the reporting  
address within the header could be problematic for delegated keys.


> The coercion you describe depends on how the reputation system  
> operates.  It's unwise to assume that it operates under any  
> particular set of rules.

After the last few years, I too agree that it would be unwise to  
assume how reputation is applied.  This is why it would be less than  
intelligent to publish any policy other than '!' or '.'.


> With respect to the replay issue, I only want to point out that  
> DKIM does not need to operate in a vacuum.  I do not want to tie it  
> to any other message authentication technology.

Keep in mind there is a header selection conflict between DKIM and  
Sender-ID.  The conclusion reached more than a year ago, "open-ended"  
authorizations are worthless.  As the only safe policy to publish is  
"closed," this suggests the PRA algorithm should be re-examined,  
especially if Sender-ID is considered a means to offer replay  
protections.  There is also an alternative to the authorization  
scheme that offers better protections.  CSV and In-Channel checks  
could be yet another alternative for message replay abuse.  Leave the  
email-address domain owner harmless.  Only the administrator knows  
who is using the email-address.


> The "hapless" email-address domain owner has the option of not  
> publishing a contact address (r= in the SSP is optional).

But the hapless email-address domain owner can not control those  
administrators willing to equivocate about source identifiers.   The  
'r=' suggests this is the entity that is seen as accountable.  Not  
publishing the SSP record offers more protection than not publishing  
an 'r=' parameter.


>> Fenton-DKIM-Threat-02
>>
>> 3.1.  Use of Arbitrary Identities
>> ...
>>  DKIM is effective in mitigating against the use of addresses not
>>  controlled by bad actors, but is not effective against the use of
>>  addresses they control.
>>
>
> This paragraph is talking about addresses controlled by bad  
> actors.  The point is that bad actors that own particular domains  
> can sign messages (i.e., you can't use the presence of a signature  
> to say that a bad actor didn't originate it).  It has nothing to do  
> with SSP.


>> "DKIM is effective in mitigating against the use of addresses not  
>> controlled by bad actors,..."

This is the portion of the statement that is highly misleading.  DKIM  
is not effective at mitigating the use of addresses not controlled by  
bad actors unless a "closed" authorization is used such as '!' or  
'.'.   A clarification that a "closed" authorization is not  
compatible with many common uses of email would also ensure that  
someone reading this would not be dramatically mislead.

-Doug