[ietf-dkim] Re: Adding SMTP client Requirements
dotis at mail-abuse.org
Sat May 26 15:02:14 PDT 2007
On May 25, 2007, at 5:18 PM, Barry Leiba wrote:
>> Because DKIM has not resolved the issue of replay abuse, DKIM is
>> indirectly promoting a dangerous means to associate domains. The
>> DKIM WG should reconsider their strategy.
> Doug, will you (briefly) say what the replay scenario you're
> looking to address is? Thanks.
A DKIM signed message can be replayed from other SMTP clients. This
is a desirable feature, but permits abuse when receivers base message
acceptance upon (the reputation of) the DKIM domain.
Replay abuse has been defined, and should be understood. The concern
is for those who will be affected by replay abuse mitigation strategies.
Mitigation would condition DKIM domain consideration to those
A) the SMTP RCPT TO is within the signed portion of the message,
B) or when the SMTP client is within the DKIM domain.
For a typical bulk sender, these conditions are not problematic.
However, these conditions are problematic for many valid use
scenarios. These mitigation conditions have a potential to greatly
lessen email delivery integrity. This problem grows as DKIM domains
become a greater component of acceptance. The DKIM WG should
consider how SSP records might safely extend use scenarios where a
valid DKIM signature can remain a basis for acceptance.
Ideally, the extension information would be contained directly within
the message to extend the mitigation A strategy. Unfortunately BCC
seems to preclude such direct methods, but there might be a means
that combines some existing SMTP parameter with a cryptographic hash
function. Another method would be to extend the mitigation B
strategy by indicating which SMTP clients are considered
trustworthy. A mitigation B strategy is not safely fulfilled by SPF,
so it is imperative that a safe means be provided when only the
mitigation B strategy remains available.
"Good ideas and innovations must be driven into existence by
courageous patience." Hyman Rickover
More information about the ietf-dkim