[ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]
dotis at mail-abuse.org
Fri Jan 13 13:44:27 PST 2006
I will concede the term "policy" generally describes the SSP record.
The term policy does not offer any connotation of this record
offering an affirmation that no signature or a foreign signature is
okay, or instead a denial that no signature or a foreign signature is
okay. The authorization or affirmation term used in the summary was
specifically aimed at creating a specific connotation to assist in
conveying the concern. Affirmation is the mode carrying risk due to
misuse. There have been Really Stupid(tm) misapplications of this
type of "open" policy which have had the effect of unfairly holding
the email-address domain owner accountable.
There are several factors which invite this type of misuse where any
published "open" policy (which allows abuse) could be held against
the email-address domain owner. SSP provides a clear indication for
one such inviting factor, as the email-address domain owner receives
complaints. The only means a concerned email-address domain owner
prevents abuse is by publishing a "closed" policy. As it so happens,
a "closed" policy also means the signer could also be an appropriate
recipient for complaints. Any "open" policy exposes the email-
address domain owner to unjustified complaint traffic. However,
"closed" policies also disrupt common email practices, and therefore
are not suitable for general use.
A large domain has an advantage that a smaller domain does not. A
large domain is less likely held accountable and may even be commonly
white-listed to override negative reputations, even when a fair
amount of abuse is emitted by the large domain. This typical
consideration allows large domains far greater latitude with respect
to "open" policies, than a smaller domain would ever enjoy. In
general, "open" policies impose an unfair competitive disadvantage
for smaller domains.
SSP should ensure it is impossible to publish "open" policies to
avoid this potential problem. "Closed" policies still permit
rejection of unsigned messages for those domains willing to forego
services of any mediator or third-party provider. When only a few
domains publish a policy, the SSP overhead increases. This overhead
is also confounded by the lack of a mechanism to indicate that a
policy does not apply to any sub-domain. This problem in general
also runs afoul of a desire to not force the publication of "open"
policies creating a paradox.
There is a practical alternative to the SSP policy approach described
in the dkim-options that would entail far far less overhead and would
not impose the need for "open" policies.
On Jan 12, 2006, at 6:17 AM, Stephen Farrell wrote:
Some small nits then:
> "Policies can be open or closed. Open policies define a set of
> conformant messages and are silent about other messages. Closed
> policies define the set of conformant messages and other messages
> do not conform to the policy.
Policy is not checked when the email/signing domains match. Policy
is therefore silent when email/signing domains match. When email/
signing domains do not match, SSP indicates whether unsigned or
foreign signed messages are acceptable. With respect to open
policies, _all_ such messages are conformant and acceptable.
> If a domain owner publishes an open policy, and if some "bad"
> unsigned messages apparently emanate from that domain then the
> domain owner's reputation may suffer.
If an _email-address_ domain owner publishes...
... then the _email-address_ domain owner's reputation may suffer.
> Closed policies can disrupt practices such as posting to list
> servers, use of e-invites, and other similar services.
Closed policies can disrupt _common_ practices...
> If unsigned mail from domains with open policies is treated any
> better on the basis that the policy exists, then bad actors will
> search for open policies in order to select the value for a
> falsified From header.
If _third-party_ signatures or _unsigned_ messages from _email-
address_ domains with open...
> Searching for a policy statement may have a significant cost and
> bad actors can select messages so as to maximise this cost in an
> attempt at DoS.
...and common strategies used by bad actor's to obfuscate the domain
level used for direct registration may have the effect of increasing
the average number levels that need searched.
> Policy statements inherently expose information about the domain to
> which the policy is intended to apply. Bad actors can use this
> information to select values for inclusion in messages."
Bad actors can use this information to increase the number of targets
More information about the ietf-dkim