ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Review of draft-ietf-dkim-ssp-08

2009-01-02 14:51:22
from [Eric Rescorla] [Permanent Link] 
$Id: draft-ietf-dkim-ssp-08-rev.txt,v 1.1 2009/01/02 19:05:45 ekr Exp $

This document describes a way for domains to publish their policy
vis-a-vis signing emails with DKIM. The idea here is that when
you receive an email that is not signed you would like to be able
to distinguish (at least) two cases:

- The domain doesn't sign.
- This is a forgery.

This document (hereafter called ADSP) allows the domain to advertise
its signing policy, thus allowing recipients to distinguish these
(and some other) cases.

Generally, this approach and the protocol it describes seem sound.
However, I have some concerns as detailed below.

One general question: I see you're using TXT here. I know this
is a hot button for the DNS people. If you haven't cleared this
with them, that might be good. If you have, then ignore this
comment.



TECHNICAL
S 3.

   Hosts can look up the ADSP information of the domain(s) specified by
   the Author Address(es) as described in Section 4.3.  If a message has
   multiple Author Addresses the ADSP lookups SHOULD be performed
   independently on each address.  This document does not address the
   process a host might use to combine the lookup results.

I'd like to see some security analysis of why this is OK. Naively,
it seems like one might be able to get around ADSP using this feature.
I.e., I want to forge a message apparently from example.com, which
has "dkim-all". I generate a message with "From: ekr(_at_)example(_dot_)com, 
ekr(_at_)example(_dot_)org"
where I control example.org. I then serve a record for example.org 
indicating that I don't sign. If this is accepted, that seems 
potentially problematic.


S 4.3.
   Check Domain Scope:   An ADSP checker implementation MUST determine
      whether a given Author Domain is within scope for ADSP.  Given the
      background in Section 3.1 the checker MUST decide which degree of
      approximation is acceptable.  The checker MUST return an
      appropriate error result for Author Domains that are outside the
      scope of ADSP.

I don't really undersand how the second (and maybe third) MUSTs are
operationalizable. How would I not "decide"? I mean, I could
just ignore the issue and do exact match. Would that constitute
"deciding"? What would not "deciding"?

S 6.2.
   An attacker might attack the DNS infrastructure in an attempt to
   impersonate ADSP records to influence a receiver's decision on how it
   will handle mail.  However, such an attacker is more likely to attack
   at a higher level, e.g., redirecting A or MX record lookups in order
   to capture traffic that was legitimately intended for the target
   domain.  These DNS security issues are addressed by DNSSEC [RFC4033].

I don't understand why an attacker is more likely to redirect A or MX.
These are different attacks with different objectives. If I'm doing
phishing, then forgery seems more useful to the attacker.

In addition, to the extent to which the point of security
considerations is to give the reader an accurate picture of the
security of the system, I don't think this works that well, as due to
the very low deployment of DNSSEC, in practice these records are
easily forged.



EDITORIAL
S 2.7.

   For example, if a message has a Valid Signature, with the DKIM-
   Signature field containing "i=a(_at_)domain(_dot_)example", then 
domain.example
   is asserting that it takes responsibility for the message.  If the
   message's From: field contains the address "b(_at_)domain(_dot_)example" and 
an
   ADSP query produces a "dkim=all" or "dkim=discardable" result, that
   would mean that the message does not have a valid Author Signature.
   Even though the message is signed by the same domain, it fails to
   satisfy ADSP.

I think this example might benefit from a bit more explanation.
As I understand it, this signature is invalid per DKIM and so it needs
to be treated as unsigned, and that's where ADSP kicks in. But I
may have misunderstood, so some clarity here might help.


S 3.1.
   Note:   The results from DNS queries that are intended to validate a
      domain name unavoidably approximate the set of Author Domains that
      can appear in legitimate email.  For example, a DNS A record could
      belong to a device that does not even have an email
      implementation.  It is up to the checker to decide what degree of
      approximation is acceptable.

I don't really understand this graf. Can you rephrase?


-Ekr
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: The internet architecture, Rémi Després
Next by Date:  Re: Review of draft-ietf-dkim-ssp-08, John R Levine
Previous by Thread:  Weekly posting summary for ietf(_at_)ietf(_dot_)org, Thomas Narten
Next by Thread:  Re: Review of draft-ietf-dkim-ssp-08, John R Levine
Indexes:  [Date] [Thread] [Top] [All Lists]