meta-question: what is the purpose of the security
tutorial about broad topics in security? fair warning about
limitations of the
current specification? guidelines for safe operation? other
The requirements for a security considerations section have increased
over the years.
In particular it is now expected to provide a complete list of the
security risks associated with the specification, a description of all
residual security threats that do not have effective controls associated
with them and a list of all the security dependencies.
In this case I would expect the SC section to state that:
* DKIM depends on DNS for key distribution and policy publication
* DNS is subject to known attacks that may affect DKIM, in particular
cache poisoning attacks and spoofing attacks.
** These attacks rely on a weakness in the local DNS service and their
effect is limited to the machines that rely on the compromised server.
This form of attack is not likely to be significant in the context of
spam but may be significant in the context of phishing.
** Deployment of DNSSEC provides the ideal control to protect against
these attacks but ordinary anti-spoofing precautions as implemented in
standard DNS servers are likely to be adequate for most purposes.
** Use of suplemental accreditation data that is authenticated by a
trusted third party (e.g. X.509 certificates) provides an acceptable
control wrt the key distribution attack but does not prevent policy