[ietf-dkim] "I sign everything" yes/no

Douglas Otis dotis at mail-abuse.org
Tue Nov 21 21:14:32 PST 2006 

On Nov 21, 2006, at 7:49 PM, Hector Santos wrote:

> Douglas Otis wrote:
>>
>> It remains conjecture an authorization scheme provides a  
>> measurable reduction in the success rate.  As bad actor are able  
>> to authorize their own messages in various forms, an authorization  
>> scheme may increase the success rate of phishing attempts.   
>> Recipients are not protected by such a highly flawed scheme.
>
> I don't understand why you make it so difficult.
>
> If I say "all may mail is signed" and that expectation is defined  
> based on a standard SSP protocol established, then a RECEIVER and  
> the original DOMAIN owner should be as happy as a pig in mud when  
> fraudulent MAIL is arriving without signatures.

This presumes bad actors are blocked by an easily defeated scheme.   
Guidance offered by SPF suggests the numbers blocked is less than  
3%.  In addition, blocking is not as black and white as you suggest.   
What happens when someone sends a message to a mailing list?

Bad actors easily create messages that appear official and blessed by  
their authorization record.  The recipient is still in the muck  
sorting through fraud while attempting to uncover a bad actor's many  
tricks.  With EAI, there are now two email-address published per From  
entity.  Which email-addresses is checked?  What part of the email- 
address is displayed, if any?  An authorization scheme alone benefits  
bad actors.

> The first thing that we will be getting rid of is the legacy  
> malicious exploiters of domains who are not going to following  
> anything or would care for anyway.

Are you talking about including policies for the Mail From as well?

> But sure, bad actors can participate in the DKIM/SSP process and in  
> my view, that is great if we can get them to ADAPT in a positive  
> way - our way.

The recipient is still lost attempting to decide which messages are  
valid. Look-alike and cousin domain ploys are not defeated.  Without  
evidence there is any value validating the DKIM signature, it should  
not be done.  Here domain association techniques can play a greater  
role than would any authorization scheme.  If there is any  
authorization scheme added, it would be practical in only a very  
small portion of domains sending messages.  Hardly worth the overhead.

> That is where the additional layers come into play, such as  
> REPUTATION if that is what the receiver wants to use to further  
> give credence to a DKIM-ready message.

Without a means to prevent positive reputations (white-listing) from  
being abused, positive reputation use is highly prone.  Anti-replay  
protections require some means to associate DKIM signing with the  
SMTP client.  SPF does not offer a safe method for this association.   
As the envelope is not included within the DKIM signature,  
unsolicited messages can not accrue against the signing domain.  It  
would be a bad outcome when messages are rejected because envelopes  
do not match message headers.

> The goal is to eliminate the obvious and that obvious comes in  
> detecting the invalid conditions and if a DOMAIN exposes a policy  
> implying invalid conditions were not expected, then all the  
> receiver needs to junk or do something with that message and the  
> receiver and original domain would be protected.   We don't need an  
> MUA to get an involved.

In an ideal world, perhaps.  Limiting this effort to only  
authorization is the wrong choice.  While the MTA might be able to  
block 2.5% of non-compliant messages, the success rate of phishing  
will hit a new high, and the integrity of email delivery will hit a  
new low.  DKIM requires the MUA to annotate messages.  The DKIM  
signature is not visible _by design_.  There is no assurance what the  
recipient sees in a non-DKIM aware MUA.  This must change, and  
efforts must focus upon message annotations.  Once the recipient has  
an MUA that compares signed messages against their address-book,  
there is _absolutely_ no need for an authorization scheme,  the  
sizable overhead, and the many delivery problems with incumbent  
support calls.

Why not allow the MUA to safely apply annotations based upon a  
recipient's out-of-band knowledge of the sender.   What annotations  
can be applied based upon an email-address domain authorizing their  
own messages?  None.  When authorization is the only goal, then  
practical, safe, and reasonable has been completely missed.

-Doug

More information about the ietf-dkim mailing list