[ietf-dkim] Fenton-DKIM-Threat-02 3.1. Use of Arbitrary Identities (and SSP)

Jim Fenton fenton at cisco.com
Mon Jan 9 14:25:16 PST 2006 

Douglas Otis wrote:

> Being hammered with complaints would suggest otherwise.  Placing any 
> "reporting" address at an authorization is simply wrong.  The is a 
> hold-over from the equivocation that has occurred in the past.  In 
> cases where there has been an exclusive policy such as '!' or '.' 
> then the signing domain remains just as unique.  Only the signing-
> domain should have a "report" link, never the authorization record.

This is beyond the scope of the threats document.  Feel free to bring it
up again when we're discussing SSP.

>
>
>>>>> "DKIM is effective in mitigating against the use of addresses  not
>>>>> controlled by bad actors,..."
>>>>
>>>
>>> This is the portion of the statement that is highly misleading.  
>>> DKIM is not effective at mitigating the use of addresses not 
>>> controlled by bad actors unless a "closed" authorization is used 
>>> such as '!' or '.'.   A clarification that a "closed"  authorization
>>> is not compatible with many common uses of email  would also ensure
>>> that someone reading this would not be  dramatically mislead.
>>
>>
>> I guess it depends on what you consider to be a "mitigation".  Note 
>> that it does not say that it prevents the use.
>
>
> For normal use, an authorization scheme used in conjunction with DKIM 
> does not offer an ability to mitigate the misuse of one's email-
> addresses.  There should be an admission that only in an exceptional 
> and highly restrictive case, can DKIM offer this protection in 
> conjunction with authorization.  This then wanders down the road of 
> multiple from addresses, but again this depends upon how SSP is 
> resolved.   There are some safe generalizations that can be made 
> about an authorization scheme, but the caveats regarding the use of 
> authorization should not be overlooked.  Try to keep an open mind 
> about how DKIM offers protection.  I would not be concerned by an 
> authorization scheme that only include the '!' and '.' policies.   
> Anything else invites equivocation and coercion with respect to what 
> is authentication, and who ultimately is held accountable.

Goind back to the original statement, this has nothing to do with SSP. 
It simply says that bad actors can sign their own messages from their
own domains, and I think we all agree with that.

-Jim

More information about the ietf-dkim mailing list