ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] DKIM SSP: Security vulnerability when SSP record doesnot exist?

2005-08-10 08:23:55
On Wed, 10 Aug 2005 09:53:37 -0500, Arvel Hathcock wrote:
 Suppose you get an unsigned message and DNS lookups fail for whatever
 transient reason.

It is probably worth our considering how well or poorly DKIM works under 
different modes of connectivity.  

Some models require all participants to be online at the same time, with 
continuous connectivity throughout the activity.  A VOIP telephone call is an 
example. (I tend to think that the Web is, too, but that's a more complicated 
discussion, what with asynchronous publishing and proxies confusing things.)  

Others tolerate highly asynchronous access and interrupted connectivity. Email 
is the obvious example, but also note the Delay Tolerant Networking (formerly 
Interplanetary Internetworking) effort as an extreme.

So, the issue you are raising is about the ability of the Validating Agent to 
access the key server... ummmm, errrr... the DNS.... in real time. (Given that 
DKIM rides on email, the model does not require that Signer and Validator be 
online at the same time.)

I think that the only other real-time dependencies that the core email service 
has on the DNS is the outbound process of finding MX records, and of course, 
the 
various receive-time SMTP server matchings of the incoming IP Address against 
various DNS-based records.

This argues for doing key-retrieval by a component in the receiver's 
Administrative Environment that operates with the same connectivity as the 
receive-time SMTP server...

However it does not *require* it.  There is nothing preventing validation from 
being done by a component with highly discontinuous access that does not match 
the access of the mail-receiving component.  However it makes use of the 
signature more challenging.

  d/
  ---
  Dave Crocker
  Brandenburg InternetWorking
  +1.408.246.8253
  dcrocker  a t ...
  WE'VE MOVED to:  www.bbiw.net



_______________________________________________
ietf-dkim mailing list
ietf-dkim(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/ietf-dkim