[ietf-dkim] Re: Adding SMTP client Requirements

Douglas Otis dotis at mail-abuse.org
Sat May 26 15:02:14 PDT 2007 

On May 25, 2007, at 5:18 PM, Barry Leiba wrote:

>> Because DKIM has not resolved the issue of replay abuse, DKIM is  
>> indirectly promoting a dangerous means to associate domains.  The  
>> DKIM WG should reconsider their strategy.
>
> Doug, will you (briefly) say what the replay scenario you're  
> looking to address is?  Thanks.

A DKIM signed message can be replayed from other SMTP clients.  This  
is a desirable feature, but permits abuse when receivers base message  
acceptance upon (the reputation of) the DKIM domain.

Replay abuse has been defined, and should be understood.  The concern  
is for those who will be affected by replay abuse mitigation strategies.

Mitigation would condition DKIM domain consideration to those  
messages where:

  A) the SMTP RCPT TO is within the signed portion of the message,

  B) or when the SMTP client is within the DKIM domain.

For a typical bulk sender, these conditions are not problematic.   
However, these conditions are problematic for many valid use  
scenarios.  These mitigation conditions have a potential to greatly  
lessen email delivery integrity.  This problem grows as DKIM domains  
become a greater component of acceptance.  The DKIM WG should  
consider how SSP records might safely extend use scenarios where a  
valid DKIM signature can remain a basis for acceptance.

Ideally, the extension information would be contained directly within  
the message to extend the mitigation A strategy.  Unfortunately BCC  
seems to preclude such direct methods, but there might be a means  
that combines some existing SMTP parameter with a cryptographic hash  
function.  Another method would be to extend the mitigation B  
strategy by indicating which SMTP clients are considered  
trustworthy.  A mitigation B strategy is not safely fulfilled by SPF,  
so it is imperative that a safe means be provided when only the  
mitigation B strategy remains available.

-Doug


"Good ideas and innovations must be driven into existence by  
courageous patience."  Hyman Rickover

More information about the ietf-dkim mailing list