ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Re: New Issue: Threat-00 Limiting the scope of trust

2006-02-14 13:05:55
from [Douglas Otis] [Permanent Link] 

On Feb 12, 2006, at 9:03 PM, Frank Ellermann wrote:
Even this brief review was not limited to just Sender-ID as a path solution, but also included a list of HELOs that could describe the same path in one or two lookups.
Okay, covering "signing domains" by sets of related HELOs makes more sense than PRA or MAIL FROM. We've nothing for arbitrary HELO id.s. At best we have CSV's zone-cut emulation. But CSV like all the others is single-hop (MON to MX), attackers won't use a CSV or SPF protected HELO, they simply pick another HELO.
Verifying the HELO would be analogous to checking a wax seal on an envelope. When the verified HELO is found within a list of valid HELOs for the signing-domain, the seal is intact. Just as policy for an email-address within the signing-domain is not checked, when the HELO is within the signing-domain, checking for a list of valid HELOs would not be needed. The threat review may consider the use of the HELO, but neither the DKIM threat review or protocol should be required to include details of how HELO is verified, or even how a list of HELOs is created.
When the wax seal is broken or missing, delayed acceptance from unknown IP addresses could provide a means to curtail all types of message replay abuse. A verified HELO also offers a means to defend the DKIM process from an inordinate level of abuse as DoS protection. When the HELO does not verify from an unknown IP address, or is outside the signing-domain, delayed acceptance will ensure the service impact is minimal.
DKIM keys will likely be added on a per MTA basis. At the same time the Key is added to DNS for the MTA, HELO RR can be added at the same time. This is not asking an organization to know all their IP addresses for all the machines ever used. This is only asking that the HELO for this DKIM MTA also have a corresponding DNS entry.
Accountability for DKIM must exclude the message envelope. However, accountability for the HELO includes the message envelope. When DKIM is used in conjunction with HELO verification, then, and only then, can DKIM become a powerful means to abate spam and curtail replay abuse. 

-Doug

_______________________________________________
NOTE WELL: This list operates according to http://dkim.org/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-dkim] New Issue: draft-ietf-dkim-base-00 - 3.4.6 Example (Canonicalization), Hector Santos
Next by Date:  Re: [ietf-dkim] Re: New Issue: Threat-00 Limiting the scope of trust, Hector Santos
Previous by Thread:  [ietf-dkim] Re: New Issue: Threat-00 Limiting the scope of trust, Frank Ellermann
Next by Thread:  Re: [ietf-dkim] Re: New Issue: Threat-00 Limiting the scope of trust, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]