Thanks for writing this. As far as I can tell, at the
very least this could be used as a cryptographic
trust anchor for DKIM in much the same way that DNSSEC
could. But you seem to go further on several accounts and
I don't understand how that would be accomplished:
Hallam-Baker, Phillip wrote:
Accreditation by a TTP may provide a relying party with valuable
additional information that allows the relying party to evaluate a
DKIM signature more accurately.
For example many Certificate Authorities offer a certificate that
is only issued after verifying ‘proof of right’ documentation
provided by the applicant that establishes that the applicant is a
bona-fide registered business in some locale. While a verified
business registration does not in itself guarantee that a business
is honest it does demonstrate a likelihood that the registered
party can be held accountable through civil or criminal process
should the need arise. In the wake of criminal prosecutions and
civil litigation the vast majority of spammers attempt to avoid
these forms of accountability. A verified business registration is
therefore significant when evaluating the probability that an email
message was sent by a spammer.
What is not clear to me is how a mail receiver knows whether any
given lookalike domain is tied to an accredited domain. That is,
I can see how ethical CA's would not issue certs for paypa1.com
because it looks like paypal.com, but when I receive a piece of
mail from paypa1.com which doesn't have any accredidation information,
what could a receiver really infer from that?
Accredited data supplied by a TTP may also be employed to control
certain types of phishing attack. While an unaccredited DKIM
signature can allow detection of an attempt to impersonate a domain
name, an email phishing attack is an attack against a trusted
brand. The use of cousin addresses in phishing attacks such as
security-bigbank.com in place of bigbank.com is already common.
Again, I don't understand how this reverse mapping from abuser
domain to abused domain would be made. And what constitutes a
"trusted brand"? And how would a receiver arbitrate when there
were two certs, say, issue by two different CA vendors, which
conflict as to who, in fact, is the "trusted brand"? Also: is
there the possibility here for collateral damage for pre-existing
domains who don't have certs, but are otherwise legitimately
entitled to their brand even if it's not widely known?
The effectiveness of cousin addresses may be further reduced
through the introduction of TTP services that provide for
verification of the trusted brand that is being attacked in
addition to the domain name. For example a CA might publish a
verified brand in the certificate issued by means the PKIX Logotype
extension [5].
Again, the reverse mapping problem would need to be solved
as far as I can tell.
Overall, it sure looks to me like this is substantially more
complicated if you want to acheive any of these other goals than
is apparent in this draft. As a mechanism to provide a cryptographic
trust anchor in lieu/addition to DNSSEC it seems plausible, but I think
that is a debate that ought to be had on its own terms and not wrapped
up with these other goals.
Mike
_______________________________________________
ietf-dkim mailing list
ietf-dkim(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/ietf-dkim