ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] proposed threat analysis outline

2005-08-23 03:35:18
On Mon, 22 Aug 2005, Jim Fenton wrote:

While I like your outline quite a bit, my inclination is to stick closer to
the specific questions that Russ posed (Who are the bad guys and what are they
capable of? Where are they in the system?  What do they want to do?).  The
more that we expand beyond that the more likely we are going to get tied up in
a debate, perhaps about something that we don't need to resolve right now.

I should have explained why I don't think those questions are directly
helpful. The answers to them are either too facile (spammers/phishers,
lying/criminality; millions of compromised PCs; obtain money) or too
complicated because they lead directly to a rat-hole discussion about the
Final Ultimate Solution to the Spam Problem.

One thing in particular that we don't want to do is to get involved in
cataloguing the various ways in which email can be bad or in which people
can behave badly using email. This is doomed because we cannot hope to
perform a complete analysis: the threats extend beyond email per se to
threats against the things that people use email for, which are unbounded;
the prime examples are phishing and 419 fraud. And we will still have to
include a slot for "stuff I don't like", which isn't very amenable to
security analysis.

Instead we need to concentrate on an approach to security which is
independent of the kinds of bad behaviour that people indulge in over
email. This boils down to punishing people for behaving badly. How do we
punish them? Current techniques include blacklisting, financial penalties
(bonded sender), law suits, etc. How do we spot bad behaviour? Current
techniques include taking reports from users, pattern matching, heuristic
analysis, etc. We would like to augment this with mechanisms for
publishing policies that can be implemented in a distributed manner, such
as SSP. Who do we punish? IP addresses, mostly. We'd like to identify
something that has a more direct link to punishable accountable people,
and this is what DKIM aims to provide.

The above is NOT to say that I think Russ's questions should be ignored;
rather I think they should inform the document pervasively.

Tony.
-- 
f.a.n.finch  <dot(_at_)dotat(_dot_)at>  http://dotat.at/
BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR
GOOD.
_______________________________________________
ietf-dkim mailing list
http://dkim.org