-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org]On Behalf Of Hallam-Baker,
Phillip
Sent: Tuesday, August 30, 2005 10:29 AM
To: IETF-DKIM
Subject: [ietf-dkim] Revised threat model
If the proposed revisions are made to the charter then the threat model
is considerably easier to articulate. Note that we are not promising
*less*, we are simply stating the claims more precisely.
1. Who are the bad actors? (Characterize them, eg, what resources do
they have?)
The bad actors are a variety of Internet criminals who exploit the lack
of authentication in SMTP email to create messages that purport to come
from another party.
The principle concern is caused by professional Internet criminals with
access to significant computation and network bandwidth resources. These
resources are typically stolen, the criminals either establishing their
own 'botnet' or renting the use of an existing botnet from another
party.
2. Where do they fit into the protocol environment (eg, middle of net)?
The Internet criminals of concern typically operate at the edge of the
net. In some cases the criminals have access to backbone routers and
have the ability to inject fake BGP routing information.
The cryptographic approach described does not depend on the location of
the attack being limited to a particular part of the protocol
environment except to the extent that the approach depends on the
security of the DNS and does not propose replication of existing work on
DNSSEC.
3. What are we trying to prevent them from doing?
The objective of DKIM is to prevent an Internet criminal stealling the
reputation associated with an existing DNS domain name by creating spoof
emails that impersonate a domain.
The message signature format and the security policy mechanisms allow a
sender to specify which emails they accept and deny responsibility for.
This in turn allows spam filtering engines to compile and apply
reputation information more accurately.
Is this to narrow? Could the second sentence be, "This is turn allows mail
receivers to reject messages for which reponsibility has been denied and
allows spam filtering engines to compile and apply reputation information
more accurately."
I don't think this goes beyone what DKIM is capable of.
As currently defined DKIM is only designed to provide a machine readable
authentication mechanism. Although DKIM information MAY be presented to
a human reader the authentication mechanism currently defined is NOT
designed to prevent impersonation of other identifiers that a human
reader might rely on. In particular DKIM does not provide protection
against the use of 'cousin' or 'lookalike' addresses in a phishing
attack.
Scott Kitterman
_______________________________________________
ietf-dkim mailing list
http://dkim.org