ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] mail security

2009-01-21 06:43:55
from [Ian Eiloart] [Permanent Link] 


--On 20 January 2009 11:44:26 -0800 Dave CROCKER <dhc(_at_)dcrocker(_dot_)net> 
wrote:




John Levine wrote:

DKIM at least starts to address those problems, but it still doesn't
begin to try to deal with the much harder problem of lookalike
domains.  Let's say you get a message from security(_at_)pay-pal(_dot_)com, 
which
is 100% DKIM, SPF, and Sender-ID approved.  Is that Paypal?  How can
you tell short of manually looking up WHOIS registrations?




Two points:

1.  The word "security" is not all that helpful in these discussions.  To
security technology experts, it means too many things to know what is
meant in a particular case.  To the rest of us, it carries too little
precise meaning.

2.  Almost all of the discussions about these authentication-related
technologies start with the authenticated identifier and then talk about
what you can derive from it or how it might be spoofed or otherwise
abused.  Since that is exactly what must be done with suspect messages,
the model seems to make sense to (re-)apply for authentication.  I now
believe it is exactly the wrong model.  That's a model that looks for the
problem, the attack, the basis for suspicion.



A very different model starts as a model of trust and specifies a table
of who is part of the model.  In other words, it works in the oppsoite
direction. When a message shows up, the only question is whether that
message falls under that umbrella of trust.  If it doesn't, then we are
done with that model, for that message.  Any further consideration of
that message has nothing at all to do with the trust model.  The
authenticated identifier is the sole, simple lookup string into that the
model.  Either the identifier string works or it doesn't.
Agreed. That's why I'm discussing SPF or DKIM with a reputation service. In the first instance, my reputation service is going to be a local whitelisting mechanism. I'll probably have some domains whitelisted for my entire site. Perhaps all .ac.uk domains, for example. Then I'll allow users to whitelist domains and addresses that they trust. However, the whitelisting mechanism will rely on an SPF or DKIM pass.
So, as you say, I'll check that the sender address falls under my umbrella of trust - that it's in my whitelist. If not, I'll fall back to my old mechanisms. But, if it does fall under my umbrella of trust, I'm still going to check for either an SPF or a DKIM positive match. If I don't get that, then I fall back to my old mechanisms.
I hope that an trustworthy external reputation service will emerge that allows me to place others under my umbrella of trust, even when they're not listed locally.
I'll need some rules about who people can whitelist (and blacklist, too). For example, I don't think I'd allow anyone to whitelist hotmail.com as a domain, but I'd allow then to whitelist specific addresses. On the other hand, I'd allow them to whitelist the domain of a local school or local government organisation. 


Concerns about spoofing the identifier, re-purposing its use, and
corrupting the content -- authentication, authorization and data and
signature integrity -- are all valid for evaluating the underlying
technology but they really are secondary to any serious discussion of the
model.  After the briefest review to ensure that a particular technology
has made specific and acceptable choices for the "security" questions,
the questions should not burden debate about use of the technology.
Instead we seem to find these questions hashed, rehashed and hashed
again, as the focus of community debate.

When the anti-abuse world discusses use of these authentication
technologies, we need to stop being the anti-abuse world and start being
the trust world.  The anti-abuse world really has the receiving assessor
as an isolated island of suspicious.  In today's Internet, that's
required.  But the trust world is quite different.  It is collaborative
-- between signer and receiving assessor -- and deterministic, rather
than vague and heuristic, and strictly the effort of the receiving
assessor.

Totally different model.  So we need a totally different approach to
talking about it.

d/




--
Ian Eiloart
IT Services, University of Sussex
x3148
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] where the message originated (was: DKIM role?) (SM), Ian Eiloart
Next by Date:  Re: [Asrg] where the message originated (was: DKIM role?) (SM), Alessandro Vesely
Previous by Thread:  Re: [Asrg] mail security, Ian Eiloart
Next by Thread:  Re: [Asrg] mail security, Ian Eiloart
Indexes:  [Date] [Thread] [Top] [All Lists]