Re: [ietf-dkim] DKIM SSP: Security vulnerability when SSP record does no

Douglas Otis wrote:

On Aug 22, 2005, at 3:23 PM, Scott Kitterman wrote:
Douglas Otis wrote:
Binding a mailbox-address or mailbox-domain to a domain signature isnot a goal, it is a mechanism. What is the intended goal? What isthe selection process? What level of administrative effort willthis entail? What level of DNS interaction is required?
Good design questions for the group to work on once it's chartered.
What practical role does DKIM play, what problems are being addressed,and what problems are potentially created? Consider this together withpotential systemic risks.
You wish to include an anti-forgery mechanism directly within DKIM. Ifear serious issues will likely derail DKIM deployment when "anti-forgery" mechanisms interfere with normal email, while at the same timeforgery continues. I doubt there is a possible draft that offersobtainable goals related to anti-forgery without per-user- keys.Anti-forgery appears practical for S/MIME or OpenPGP, but becomes tooproblematic for DKIM. At least when done directly.

The signature and SSP parts of DKIM are completely severable. Althoughnot perfect the current SSP draft would seem to offer a basis for moreoptimism than that.

Certainly S/MIME or PGP offer greater identity assurance, but that isn'treally the point.

Considering the goal of protecting naive recipients, I then describedan add-on feature for an MUA that supplants the need to include anti-forgery mechanisms directly within DKIM. This was based upon apractical assessment of the goals using a narrower focus. For example,you said there is a need for domain-wide assertions. I agreed adomain-wide assertion can prevent unauthorized servers.

Yes. From my POV (and once again I don't expect us to agree on this)you managed to propose an alternative that is virtually completely freeof the functionality that I'm after.

Once it gets to the MUA, it's too late. I want to reject the messageduring SMTP (after DATA, but before OK).

Allow the MUA to establish bindings from within the message. Thiswould remove the need to publish inordinate amounts of bindinginformation within DNS. At least this would provide recipients awarning when messages deserve closer examination. An MUA "mailbox-address/domain-signature/opaque-identifier" snap-shot add-on, togetherwith a simpler DKIM that remains independent of mailbox- addresses willstill abate most targeted spoofs. Leave this aspect of spoofing to theMUA, which must change to provide this type of feature anyway. By nottracking mailbox-addresses, this allows a simpler more basic design forDKIM. The simpler design should permit easier analysis, and provide asafer outcome.

If one is after an MUA solution, that may be true. However because ofthe time requirements for an MUA solution, I think you end up backingyourself into some kind of full fledged PKI infrastructure to supportpost-facto signature validation.

I expect that by constraining signature validation to the MTA/MDA andpassing a result to the MUA, an MTA/MDA approach would be much simpler,lighter weight, and deployable. I don't expect you'll agree with thiseither.

Given that domain-wide assertions can prevent unauthorized servers, Ithink that we would seriously be wasting an opportunity here if wedidn't provide that capability.

The details of where/when and how that is done (which seems to be ourmajor point of disagreement at this point) I would imagine are oneaspect of what the yet to be chartered working group is supposed tofigure out.

So, from a charter scope perspective, I would think that this aspect ofthe problem should definitely be included.

The threats and the potential for DKIM to deal with the subset of thesetypes of threats that it does should also be included in the threatassessment.


Scott Kitterman
_______________________________________________
ietf-dkim mailing list
http://dkim.org

Re: [ietf-dkim] DKIM SSP: Security vulnerability when SSP record does not exist?