On Nov 3, 2005, at 6:48 AM, Graham Murray wrote:
Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> writes:
Binding an email-addresses to the provider and prohibiting third-
party services such as list-servers is a change being required by
SSP, once the effects of reputation are considered.
Why? Surely in the case of receiving mail from a list, it is the
list's (or possibly the list provider's) reputation which is important
not that of the person/entity sending the mail via the list. It should
be the responsibility of the list provider, not the list subscribers,
to check/verify the authenticity etc of the message submitters.
Before answering this, DKIM _without_ SSP offers a means to detect
phishing and to locate sources of abuse so they can be blocked or
corrected. DKIM _without_ SSP would offer significant value at
mitigating abuse. As a general rule, the signing-domain should be
held accountable, but with SSP that is not the case.
SSP is the Son of Sender-ID Protocol. If the list-server used DKIM
to sign messages after making typical alterations, the reputation of
the signature is nevertheless ignored by the SSP mechanism. (See
Hector's chart for an example of how this would work.) Instead, the
From email-address is held accountable for permitting the
signatures. To then protect the reputation of the email-address, the
domain owner would eventually be required to prohibit all independent
signatures. : (
The impact of the SSP mechanism is manifold. Email-addresses will
effectively be restricted to "authorize" specific signatures or
become targets of abuse. No altered message can be re-introduced
without modifying the From header to include multiple From email-
addresses, where the first address would need to be that of the list-
server, greeting-card, e-invite, or even the local-provider, etc. It
will soon become normal to see multiple From email-addresses, where
the first is required to match the signing-domain (or perhaps a
domain authorized by the SSP). Using your alma-mater email-address
would likely need to follow the address offered by your local access
provider.
A piece of this puzzle still missing, but coming soon, is a method
for SSP to authorize other specific signing-domains. After all, the
SSP mechanism is to shield the provider from accountability. Issues
like compromised systems and message replay abuse is no longer be
their concern. The SSP mechanism even directs complaints to the
email-address domain owner rather than the provider granting access.
SSP is the lax provider's dream, but a consumer's nightmare. SSP
shifts the burden of abuse onto the email-address domain owner, even
though they may be ill equipped to handle breaches in security or
message replay abuse.
Will forcing the From to match that of a signing-domain in some
manner really protect the domain? Ask yourself why it is not a
concern that the SSP mechanism does not deal effectively with
compromised systems or message replay abuse.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org