[ietf-dkim] Re: Responsibility concerns with DesignatedSigning
hsantos at santronics.com
Sun Aug 27 08:55:13 PDT 2006
----- Original Message -----
From: "Frank Ellermann" <nobody at xyzzy.claranet.de>
> Maybe I'm only confused. But apparently we have two groups
> here, some interested in "DKIM pure" without SSP, and others
> interested in DKIM + SSP.
Yes, but I think overall it comes down to about unrestricted (uncontrolled)
vs. restricted (controlled) 3rd party signatures. SSP would be the proposed
way to control them.
I believe this was one, if not the main, contention which started with the
terminology I used of "Exclusive" for the o=! SSP-01 in Section 5:
! All mail from the entity is signed; Third-Party signatures
SHOULD NOT be accepted.
I called that "exclusive" policy and the debate and deep division started
over what that really means and the idea of allowing 3rd party signatures
EVEN if you ignore them.
My argument was that the "existence" of a 3PS, even if you ignore it,
possible represents "bad" events that was not expected by the domain.
One school of thought was that if the OA signed his mail, it shouldn't be a
security problem if there were hops who blindly signed as 3rd party
entities. That was John's main point.
I agreed that as long there is a valid OA signature was present, it should
lower security concerns when you have 3rd party signatures. But what if the
mail integrity was destroyed and the OA signature is no longer valid? Is
this security still intact?
This is why I have a problem with the DKIM-BASE logic that says:
Only one valid signature is required in a multiple
And when you couple this with the other DKIM-BASE mandate:
Ignore failed signatures
you have a huge spectrum of potential issues when trying to make sense out
of all this. This opened a security threat where phishers can throw in a
fake OA DKIM-Signature that he knows will fail, but then sign as an
unrestricted 3rd party:
Subject: Check your account
Date: Sun, 27 Aug 2006 05:04:42 -0700
From: accounts at bank.com
To: PoorUser at ISP.COM
Sender: support at asp.com
DKIM-Signature: d=bank.com # invalid 1st party
DKIM-Signature: d=asp.com... # valid 3rd party
According to DKIM-BASE, the valid 3PS signature would make this an valid
DKIM message, even if the 1st party signature failed.
Anyway, DKIM-BASE intentionally leaves much of this to local policy.
My point is that with SSP, bank.com can at very least should be allowed to
optional declare a signing policy indicated whether it allows or not asp.com
or anyone to sign mail on its behalf.
I think Mike, Dave and others do support or 'understand' the need for some a
few basic general policies like SIGN or NO SIGN, but it is the unrestricted
vs. restricted 3rd party signatures that we mostly differ at. Atleast that
is how I see where the disagreement lies.
Hector Santos, Santronics Software, Inc.
More information about the ietf-dkim