ietf-asrg
[Top] [All Lists]

Re: [Asrg] The state of the email system

2008-11-17 13:40:31

On November 17, 2008 at 12:23 asrg(_at_)johnlevine(_dot_)com (John Levine) 
wrote:

DKIM makes it easier to identify the actual sender of a message.  In
practice, its likely utility will be to recognize mail from people you
trust so it can bypass the filters.  As a sufficient fraction of real
mail is recognized, you can crank up the filters on what's left.

Although certainly possible that seems to reduce it to an enhanced
whitelisting support system.

DKIM is mostly attractive to combat phishing so if you get an email
from your bank which says "click here to enter your account
information" you have some confidence that the email is really from
your bank and not some miscreant.

There are two big challenges in DKIM tho, both very closely related:

1. It would seem to require some sort of reliable reputation
system. Just because your MUA says "DKIM checks out!" you still don't
really know who the mail is from, only that it's from who its headers
claim it's from. That is, it may only be telling you that this is
authentic phish from the phisher hisself!

"Reputation systems" don't come out of thin air. Insert all the
objections about creating a global system of trust.

2. Which leads to the obvious subversion which is for phishers to just
register plausible-looking domains like citig.roup.com (add in the IDN
hazards) or bankofamerica.customer-services.co (colombia, for example,
because it looks like .com), include valid DKIM info and voila, people
think it's ok and click the link.

Obviously even that could be mitigated with some sort of personal
whitelist service which might, for example, alert you that you have
never received email from this DKIM-verified domain before which might
be a hint that it ain't bank of america.

We need a term of art for when "solutions" seem to require more and
more layers of other crud seemingly invented as objections are raised
to make them plausible.

Personally I think DKIM will be of only minor help, in the "better
than nothing" category and mostly of use only to reasonably smart and
alert people.

Admittedly right now even pretty smart people don't have a way to
answer "hmm, is this email really from my bank?" short of being able
to read and interpret email headers shrewdly. DKIM might help them
with that, but they have to say "hmmm" or know what's at issue anyhow.


-- 
        -Barry Shein

The World              | bzs(_at_)TheWorld(_dot_)com           | 
http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD        | Login: Nationwide
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg