Re: [ietf-dkim] What's a replay?


On Aug 9, 2005, at 1:23 PM, Dave Crocker wrote:

On Mon, 08 Aug 2005 19:46:24 -0700, Douglas Otis wrote:

 A replay would be both a valuable feature of DKIM



I have no idea what this means.

"a replay"?

"a feature of dkim"?



Message Replay:

Signed messages reintroduced from different servers with differentRCPT TO parameters.



Accountable Domain:

The domain that introduced the signed message and provided the publickey used for verification.



Revocation-Identifier:

An opaque identifier added by the accountable domain and used torevoke the related account's authorization.



Bad-List:

A set of domain labels at the accountable domain that return 'A'resource records with the address value 127/8. These labelscorrespond to revocation-identifiers which are no longer authorized.




DKIM's common feature:

DKIM authenticates the accountable domain while allowing the samemessage to be reintroduced from different servers with different RCPTTO parameters. This valuable feature supports forwarding, while, atthe same time, permits a mode where abusive messages may bereplicated and sent to an unlimited number of recipients. Abusivemessages could be considered those that are undesired and aredisproportionately in the sender's interest.



Potential mires:

As a secondary feature, some wish to bind the Sender or From mailboxdomain with the accountable domain. This secondary feature requiresthe optional application of domain-wide policy assertions.Describing the binding of the Sender or From mailbox domain with theaccountable domain an "anti-phishing" measure would likely becomecontentious. This is due to variations in what may be exposed to therecipient, together with social engineering ploys that remain possible.

It would also be contentious to consider DKIM a means to assure thelocal-part of a mailbox address. While there is a provision withinDKIM to specifically limit the validity of a key to that of aspecific local-part, such user-keys create other concerns withrespect to DNS suitability and possible misuse. The assurance of thelocal-part also has similar problems related to defining what isexposed to the recipient. Such full mailbox address verificationwould also clearly overlap S/MIME as well.



Improving upon the common feature of DKIM:

Without reputation being considered, there is no method to controlabuse. Authentication of the accountable entity keeps reputationinformation from being corrupted and causing onerous support issues.The accountable domain provided by DKIM is extremely important withrespect to ensuring safe and fair reputation assessments. Withoutreputation services however, there also has been general agreement anauthenticated accountable domain offers little on its own to reduceabusive email. After all, abusers can easily sign their ownmessages. Another concern arises from the fact that the normal meansto monitor and limit abusive accounts is seriously hampered by theability of signed messages to be replayed.

DKIM must consider optionally adding a revocation-identifier as ameans to defend larger domains who will need to deal with abusiveaccounts on a regular basis. Without providing a means to controlabusive replay, a domain administrator would be unable to demonstrateany cooperation in abating abuse issues as they are reported. Therevocation-identifier mechanism, as suggested, would permit a meansto terminate abuse as it happens, and even squelch messages that mayremain in transit.

Not solving the replay issue, and considering a greater value isfound by protecting the local-part in conjunction with the use ofuser-keys raises serious questions as to the goal of DKIM. If thisis the case, then DKIM should be dropped and S/MIME's signaturemethods should be modified instead.


-Doug

_______________________________________________

ietf-dkim mailing list
ietf-dkim(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/ietf-dkim