Stephen Farrell wrote:
In an offlist exchange with Doug I asked him whether he thinks
the following scenario is an example of his perceived problem
with ssp. He said it is an example, so I wanted to check with
the list about this.
1. Alice works for Alice-Corp who publish a policy to the effect
that they and only they sign all their outbound mail.
2. Alice posts a message to Foo-list which signs the message
itself and drops Alice's signature.
You didn't say whether foo-list did something that broke the original
signature. I'm not sure whether that is completely relevant here, but
IMO the removal of Alice's signature is reasonable if it was broken
anyway. Otherwise, I think it should have stayed.
3. Bob receives the message from the Foo-list, signed by the list.
4. Bob looks up Alice-Corp's ssp assertion and considers the
message as having a bad signature.
It's probably a better example if Bob's domain did this, and made the
decision. Bob potentially knows he's subscribed to foo-list and can
whitelist it. Domains are less likely to be able to do this.
5. In order to allieviate this problem Alice-Corp are forced
to weaken their policy to allow 3rd party signatures to be
accepted by Bob.
I expect that domains that wish to send through munging/re-signing
mailing lists will either need to do this, or move their users who want
to enable re-signing to a different domain or to a subdomain that allows
third party signatures.
So, is there an error in the above? (E.g. does the problem go
away if both signatures are maintained with the message, or
does it just get more messy, but remain a problem.)
If the above is possible, how should/can it be avoided?
We are trying to not force changes in mail addressing, but segregating
users with different signing policies may be an exception to that. My
expectation was that only relatively number of high-value domains
(banks, etc.) would use the Exclusive (no third-party) signing policy
anyway.
Nobody has yet mentioned the user-level granularity option in SSP. The
SSP draft specifies a way to set signing policy at the user level, but
I'm not sure whether it's practical or not, due to DNS load. It
probably does lack one thing: a way of defining default policy for
addresses that don't have a user-level record. This would make it
possible for there to be a policy allowing third-party signatures,
except for some specific addresses. The price for this is an additional
DNS check and (mostly) negative caching of the result.
Note: even if this is a valid problematic scenario, I don't
believe we need to fix it right now, but we should recognise
it as a problem that needs solving.
As Mike Thomas pointed out, another thing that may be lacking in SSP is
a preference from the subject domain of how harshly to interpret
failures. Options might include increased scrutiny and outright
deletion of the message. Of course it's the verifier that ultimately
decides what to do with the message, and may or may not follow that
preference.
I consider the Exclusive policy to be an improvement available to some
domains that send mail in particular ways, relative to signing policies
that have been discussed in the past. In other words, let's not throw
out Exclusive just because it doesn't work for some domains that would
like to use it.
-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org