[ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]

[Douglas Otis]

On Jan 12, 2006, at 6:17 AM, Stephen Farrell wrote:

>
> I don't think the term authorization is being properly applied  
> there. To me at least authorization is what's happening when a  
> policy enforcement point uses a policy decision point to get a yes/ 
> no answer about some requested action.

I think I understand this perspective.  I will use terminology that  
perhaps more accurately reflects the actual mechanism.  I have looked  
at your restatements, but I feel much of the concern is being  
missed.  I have attempted to remove some of the offensive terminology  
and then emphasize what seems to have been overlooked.

   The terms "open-ended" and "closed" affirmation:

    A basic function of email-address affirmation referenced by way of
    a derived identity is to influence the acceptance or rejection of
    a message.  The term "closed" indicates acceptance is based upon a
    concurrent identity being found within a defined set of
    identifiers.  When acceptance does not require that the identity
    be contained within a defined set, this is described as open-ended
    affirmation.  This definition is not altered by the rating of
    messages once accepted.

   SSP 'o=' Qualifiers:
         "~" Signs some (open)
         "-" All signed & allow other signatures. (open)
         "!" All signed. (closed)
         "." Never sends mail. (closed)
         "^" Check User specific policy (deferred)

3.  SSP Related Threats

3.1  Risks associated with the misuse of "open-ended" affirmations

   Administrators often block abusive messages using lists of sources
   with a history of sending abusive messages.  Within email, the client
   IP address or verified host-name could be used to fairly identify
   sources.  Assuming a mechanism will deal with abusive replays, even
   the DKIM signature could be fairly used.

   Alas, an administrator may also consider acceptance granted as a
   result of an email-address affirmation as "verification of the
   reference identity as a source identifier".  This strategy has the
   effect of holding the email-address domain owner culpable for
   affirmations that lead to acceptance of abusive messages.  When the
   affirmation is open-ended, the email-address domain owner is
   therefore exposed to unfair accruals of abuse based upon
   affirmations.

3.2  Consequences of "closed" affirmations

   When closed affirmations are used, mediators or users obtaining
   access from other providers will likely be outside the set of
   identifiers contained within the affirmation.  Closed affirmations
   will therefore disrupt common practices, such as posting to list
   servers, use of e-invites, and other similar services.

3.3  Impact of accommodating "closed" affirmations

   As a result of affirmations being withheld, the use of multiple
   email-addresses could be employed.  When the mediator is a list
   server, one technique that could be used to ensure delivery would be
   to modify the header being checked to reference a different
   affirmation record.  One form of this technique may introduce
   multiple From email-addresses, where the first email-address conforms
   to the identity of the list-server.  A similar technique could be
   used to overcome closed affirmations imposed by providers where the
   user may also utilize two From addresses.  This could be needed when
   the second address is recognizable to the recipient, but otherwise
   prohibited by closed affirmation.

3.4  Increased overhead checking multiple From addresses

   The From header within a message may contain any number of addresses.
   Some may consider multiple email-addresses a valid means to overcome
   limitations imposed by an affirmation mechanism.  An email-address
   affirmation strategy should either recommend the selection of the
   first email-address or recommend all email-addresses be checked.  To
   permit a method for conveying the purported author, affirmations
   could be limited to the first email-address.  However, multiple From
   addresses creates risks by confusing the recipient and may be poorly
   handled by the email applications.  Precluding acceptance of any From
   address in conflict with an affirmation further increases the
   overhead associated with searching for affirmations.

3.5  Coercive ratings when not publishing an affirmation record

   Email-address derived affirmations provides advantages for large
   domains.  Large domains are much less sensitive to abuse histories as
   they are often excluded from block-lists due to their size.  However,
   smaller domains are much more prone to being negatively impacted by
   unfair accruals.

   Down-rating domains without email-address affirmations by larger
   domains is a technique used to coerce other domains into publishing
   affirmations.  Open-ended affirmations are needed to permit current
   practices expected by customers, but then these affirmations may fall
   prey to bad actors who utilize them for their abuse.  When these
   smaller domains become placed within block-lists, there will be an
   exodus over to the larger domains.  Coercing the use of the email-
   address affirmation also mitigates the overhead associated with
   searching for these records.


3.6  Exploitation of "open-ended" affirmation being unfairly attributed
      to the mail-address domain owner

   When messages obtain improved ratings which depend upon the email-
   address having been affirmed, then open-ended affirmation records
   will allow bad actor to use these affirmation records to improve
   their message acceptance ratings.  To ensure messages are accepted
   after passing through other mediators, an open-ended affirmation is
   required of the email-address domain owner.  Unfortunately, the
   email-address domain owner is unable to control whether their
   affirmation is seen as a "weak" form of authentication and
   subsequently used to accrue abuse from all permitted sources.  As a
   result of message ratings based upon affirmation, open-ended
   affirmations, and the assumption of affirmation being a "weak"
   identifier, the email-address domain owner may find their domain
   subsequently block-listed.

3.7  Overhead of email-address affirmation retrivial

   The overhead related to a defensive strategy should not increase the
   burden of the recipient as opposed to that of the sender.
   Unfortunately, walking up label trees searching for email-address
   affirmation records imposes a relatively high overhead.  This
   overhead is kept high as few lookups return an affirmation record and
   therefore the lack of a record will be retained only briefly within
   the DNS cache.  This increased overhead must be mitigated or this
   will increase the susceptibility of being overwhelmed by abusive
   messages.

3.8  Label depth found in abusive email versus legitimate email

   Bad actors take advantage of an evolving structure of top, second,
   third, and forth level domains.  Often bad actors create a series of
   random labels above some domain to make it difficult to filter, as
   the significant level where the direct registration is made becomes
   difficult to determine algorithmically.  This practice tends to
   increase the number of labels found in abusive messages.

3.9  Email-address guessing attacks of local-part affirmations

   Defensive programs currently defend against email-address guessing
   attacks being attempted at the SMTP server.  DNS however is not
   normally designed to identify such searches, and with the lower
   latency of DNS, these attacks can be more productive at determining
   valid email-addresses when user specific affirmations are being
   published.



> So, if I collect together those restatements then my synopsis of  
> your suggested text would be:
>
> "Policies can be open or closed. Open policies define a set of  
> conformant messages and are silent about other messages. Closed  
> policies define the set of conformant messages and other messages  
> do not conform to the policy.

Open policies (open affirmations) affirm the use of the email-address  
by indicating what signatures or lack of signatures are acceptable.   
In the case of an open affirmation, the use of any email-address is  
equally affirmed.  The reference identifier is derived from the email- 
address which is affirmed when the signature is within the set of  
concurrent identifiers determined by the SSP record.  On the other  
hand, a closed policy only affirms with specific signatures.   
Assuming there is value associated with the email-address domain  
matching the signing-domain, this value would be independent of the  
affirmation derived from the email-address.

The value of the email-address domain matching that of the signing  
domain depends upon the usage patterns.  If it becomes common for  
large providers to sign any and all email-addresses, and for bad- 
actors to sign their own messages, the value obtained when these  
domains match would be hard to quantify.  This value would not be a  
function of the affirmation record however.


> If a domain owner publishes an open policy, and if some "bad"  
> unsigned messages apparently emanate from that domain then the  
> domain owner's reputation may suffer.

The email-address domain owner's reputation may unfairly suffer.   
This seems to have missed the problem.


> Closed policies can disrupt practices such as posting to list  
> servers, use of e-invites, and other similar services.

This should be stated as _common_ practices in the impact statement.


> If unsigned mail from domains with open policies is treated any  
> better on the basis that the policy exists, then bad actors will  
> search for open policies in order to select the value for a  
> falsified From header.

Perhaps signed or unsigned email from email-address domains with open  
affirmations.  The open affirmation indicates what signatures are  
acceptable.  SSP looks at the email-address and then decides if the  
signature is acceptable as a means to affirm the use of the email- 
address by the signer.


> Searching for a policy statement may have a significant cost and  
> bad actors can select messages so as to maximise this cost in an  
> attempt at DoS.

This misses much of the concern.  The result of using more than  
normal labels is independent of the desire to create a DoS.  In fact  
most bad actors would want their email accepted, but employ a common  
strategy to avoid being easily identified.  The DoS concern should be  
focused upon the ability to extend current equipment to handle  
increased recipient burdens.  DKIM requires the entire message be  
accepted before the signature can be checked.  Checking will require  
the lookup of a public key that hopefully will be cached.  This  
caching may not be practical when per-user keys are used.  SSP  
however adds searches which comprise a sequence of rather expensive  
lookups, as most will return no-record not likely be cached.  Of  
course the per-user aspect of caching pertains to the affirmation  
records as well.  This overhead could be exasperated by demanding all  
 From email-addresses should be checked.


> Policy statements inherently expose information about the domain to  
> which the policy is intended to apply. Bad actors can use this  
> information to select values for inclusion in messages."

The exposure of email-addresses is impacted by the use of 'g=' within  
the key, the 'i=' within the signature, and the 'o=^' in the SSP  
record.  There is active and illicit trading of email-addresses which  
are used for the targets of abusive messages.  It seems rather ironic  
that an effort to abate abuse adds new ways to expose more targets  
for abuse.

-Doug