[ietf-dkim] Re: Adding SMTP client Requirements

Douglas Otis dotis at mail-abuse.org
Thu May 24 11:03:26 PDT 2007 

On May 24, 2007, at 12:06 AM, Stephen Farrell wrote:

> We've had last call on the requirements document. You seem to me to  
> be repeating a request that wasn't accepted, but I've yet to track  
> back the issue tracker to check that. I hope I don't need to.
>
> Our next step with the SSP requirements document is to push it to  
> the IESG (on Barry's to-do list I believe).

There is a clear desire to use DKIM in conjunction with some type of  
domain based reputation service.  However, DKIM has _not_ resolved  
how replay abuse is to be handled.  This becomes a security concern  
when someone then suggests SPF is to be the means to associate domains.

Because DKIM has not resolved the issue of replay abuse, DKIM is  
indirectly promoting a dangerous means to associate domains.  The  
DKIM WG should reconsider their strategy.

When a DKIM signature does not match the domain of an email-address,  
the email-address is not assured.  This should be okay.

When the EHLO does not match the DKIM domain, the recipient is at  
risk of replay abuse when basing acceptance upon the DKIM domain.   
Hence, when the DKIM domain does not match the EHLO domain, DKIM's  
reputation MUST not apply.  For many, this is _not_ okay.

---

One solution might be to negotiate the necessary elements for  
permitting email providers to identify SMTP clients as being within  
the signer's DKIM domain.  However, most customers of an email  
service provider will not be comfortable making such arrangements.

Another solution might be to publish a _single_ small record that  
associates the EHLO domain with that of the DKIM domain.  Such  
associations would represent a type of authorization and indication  
of trust.  Such a scheme would not place either the email service  
provider or their customer in jeopardy in being erroneously  
identified for something beyond their control.  The same record could  
also indicate signing policy.  This can be accomplished within one  
and perhaps two DNS transactions _at the most_.  It is _very_  
important that the DKIM WG carefully consider the overhead  
surrounding use of DKIM.

---

Some have rather wantonly dismissed concerns related to DNS records  
able to cause a flurry of subsequent queries to _uninvolved_ domains  
based upon various email-address's local-parts.  Such records are  
cached and can be reused _any_ number of times within a spam run  
where these local-parts _will_ likely change.  Some have wantonly  
dismissed concerns related to DNS transactions demanded by a strategy  
attempting to resolve _all_ IP addresses used by as many as _10_  
different domains _all at once_.  The level of DDoS amplification  
this might involve is simply astounding!

The DKIM WG should carefully reconsider this issue for security  
reasons alone.

-Doug

More information about the ietf-dkim mailing list