[ietf-dkim] punting into near-term standardization
hsantos at santronics.com
Sun Aug 6 01:33:24 PDT 2006
----- Original Message -----
From: "Dave Crocker" <dhc at dcrocker.net>
To: <ietf-dkim at mipassoc.org>
> The two that I vote for are:
> 1. I sign everything.
> 2. I send no mail.
Dave, these are ok, but please consider the implementations considerations
that were already discussed in the old list and well as here.
Lets assume these are it. How do implement it?
Lets use an email example:
In order to satisfy the checks, my verifier needs to a DNS SSP lookup.
If the policy said "I send no mail", then is strong evidence that this
message is unauthorized and unacceptable. Agreed?
If the policy said "I sign everything", then the existence of the
DKIM-Signature is checked. If it was missing, then is strong evidence that
this message is unauthorized and unacceptable. Agreed?
But it does exist, so you have two security questions here:
- Was a signature expected?
- Was a 3rd party signature expected?
Lets handle the first question first - "Was a signature expected?"
It is quite conceivable that during the migration period, many systems will
implement an DKIM verifier first before completely the DKIM signing
component. During this phase, it would not be signing message, so no
message is expected to be sign.
Understandibly, some people said that checking the KEY will fail so this is
basically the same "I never sign mail."
But is not a 2nd DNS lookup. By simply adding policy "I never sign mail",
then the 1st SSP lookup would satisfy this requirement in an efficient and
There could be other reasons why one may not want his mail signed beside
migrations, but migrations, to me, seems to be a good reason, in fact, I can
see us completing the DKIM verifier first before we get into the signing
part. So I see this as a reasonable and practical situation.
Now, the more complex issue is the second question "Was a 3rd party
I believe this is where the major source of contention in simplifying the
policies vs. enhancing the security of the system.
But consider this: During the 1st SSP lookup, if there was a policy "Only I
sign mail", then we immediately resolve this condition with additional
overhead or change in logic. The verifier simply sees the d=xyz.com and it
will immediately now this is not a desirable condition expected by the
domain. 1 DNS lookup is all that was required.
So in opinion, there is sound technical reason to include:
"I never sign mail"
"Only I send mail"
I hope this make sense and I hope you take the time to review my comments
here and see it from a software implementation standpoint.
I just want to add that my #1 goal is to optimize rejection with 100% True
Negatives at the transport level by eliminating the most obvious failure
conditions that can occur.
All the rest will be passed to other MFA (Mail Filter Agents) including
Hector Santos, Santronics Software, Inc.
More information about the ietf-dkim