ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] DKIM SSP: Security vulnerability when SSP record does not exist?

2005-08-22 16:53:21
from [Douglas Otis] [Permanent Link] 

On Aug 22, 2005, at 3:23 PM, Scott Kitterman wrote:


Douglas Otis wrote:
Binding a mailbox-address or mailbox-domain to a domain signature is not a goal, it is a mechanism. What is the intended goal? What is the selection process? What level of administrative effort will this entail? What level of DNS interaction is required? 



Good design questions for the group to work on once it's chartered.
What practical role does DKIM play, what problems are being addressed, and what problems are potentially created? Consider this together with potential systemic risks.
You wish to include an anti-forgery mechanism directly within DKIM. I fear serious issues will likely derail DKIM deployment when "anti- forgery" mechanisms interfere with normal email, while at the same time forgery continues. I doubt there is a possible draft that offers obtainable goals related to anti-forgery without per-user- keys. Anti-forgery appears practical for S/MIME or OpenPGP, but becomes too problematic for DKIM. At least when done directly.
Considering the goal of protecting naive recipients, I then described an add-on feature for an MUA that supplants the need to include anti- forgery mechanisms directly within DKIM. This was based upon a practical assessment of the goals using a narrower focus. For example, you said there is a need for domain-wide assertions. I agreed a domain-wide assertion can prevent unauthorized servers.
Allow the MUA to establish bindings from within the message. This would remove the need to publish inordinate amounts of binding information within DNS. At least this would provide recipients a warning when messages deserve closer examination. An MUA "mailbox- address/domain-signature/opaque-identifier" snap-shot add-on, together with a simpler DKIM that remains independent of mailbox- addresses will still abate most targeted spoofs. Leave this aspect of spoofing to the MUA, which must change to provide this type of feature anyway. By not tracking mailbox-addresses, this allows a simpler more basic design for DKIM. The simpler design should permit easier analysis, and provide a safer outcome. 

-Doug


_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] DKIM SSP: Security vulnerability when SSP record does not exist?, Scott Kitterman
Next by Date:  Re: [ietf-dkim] proposed threat analysis outline, Eric Allman
Previous by Thread:  Re: [ietf-dkim] DKIM SSP: Security vulnerability when SSP record does not exist?, Scott Kitterman
Next by Thread:  Re: [ietf-dkim] DKIM SSP: Security vulnerability when SSP record does not exist?, Scott Kitterman
Indexes:  [Date] [Thread] [Top] [All Lists]