[ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]
dotis at mail-abuse.org
Mon Jan 16 10:20:17 PST 2006
On Jan 15, 2006, at 1:40 PM, Jim Fenton wrote:
> Douglas Otis wrote:
>> On Thu, 2006-01-12 at 16:49 -0800, Jim Fenton wrote:
>> The signature itself proclaims the role of being accountable for
>> the message. A signing-domain matching the domain of some email-
>> address does not mean the signing-domain has verified permissions
>> for the email-address. In addition, the 'i=' parameter does not
>> need to exist or match any email-address. When the 'i=' parameter
>> does match some address, reliance upon this parameter must be
>> conditioned upon whether the key is delegated, and whether the
>> header is included within the signature.
> I'm not sure how one tells that the key is delegated, nor why that
> is relevant to the verifier.
With DKIM and SSP, the verifier has few reliable elements of
information beyond the verification of the signature. When a key has
been delegated, additional elements within the signature itself are
therefore less reliable. There is no clear indication within DKIM
when this information is or is not reliable. There is not even a
strong statement the 'i=' element should be used.
>>> SSP adds the ability to provide some advice on what to do about
>>> unsigned messages. It doesn't authorize anything -- depending on
>>> the policy, it may determine that certain messages are
>>> "suspicious". It never makes a positive assertion. A "signs
>>> some" policy is the same as not having SSP at all; the other
>>> policies are more restrictive.
>> This is really a matter of semantics. The glass half full or
>> empty, or in this case, affirmed acceptable (authorized) or not.
>> When the signing-domain matches the email-address domain, the SSP
>> record plays no role. The SSP record may affirm that the message
>> is still acceptable when the email-address domain owner approves
>> the lack of signatures or the signatures of foreign domains.
> I basically agree. It's a fine point, but what the email-address
> domain is actually doing is describing its practices, since it
> doesn't have any standing to approve anything for the verifier.
A domain does have the standing to proclaim messages using email-
addresses within their domain will not always include their
signature, an open-ended policy. This proclamation could be called
any number of things. Even when restricted to semantics of actions
rather than authorizations or affirmations for these types of
messages, the same information is conveyed. I agree _how_ this
information gets used is well beyond the control of the sender. As
such, publishing closed policies offers _less_ risk of being block-
listed than publishing open-ended policies. Fortunately, DKIM
should not require the use of open-ended policies.
There are no protective benefits obtained publishing open-ended
policies. The crux of the concern appears to be whether there is any
risk of being held culpable for the abuse permitted when publishing
an open-ended policy. The basis for this concern only requires that
verifiers increase the ratings of messages when a policy is obtained
for an email-address. This is not inconceivable, and is perhaps even
likely, as there are major providers already making this type of
assessment. Not allowing the publishing of open-ended policies by
design better ensures this type of coercion (holding the email-
address domain owner culpable rather than the signing-domain) is
>> It is rather meaningless to offer such policy distinction. A bad
>> actor can sign messages. If the message goes through a mediator,
>> the signature could be damaged and thus considered to not exist.
>> This policy makes little sense.
> This is a good topic for discussion when we are discussing SSP
> itself, not the threats document.
This statement was directed specifically to the purported purpose of
an open-ended policy, as compared to risks publishing open-ended
policies. Allowing the publishing of open-ended policies makes it
far more difficult to ensure a major domain will not take advantage
of this lowered threshold and increase the ratings for a message when
any type of policy is found. The risks related to this possible and
perhaps even probable behavior should be apparent.
Just as the verifier's behavior can not be predicted, statements
related to the protection of an email-address should be equally
couched, but they are not.
More information about the ietf-dkim