ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] SSP security relies upon the visual domain appearance

2005-11-22 19:24:54

On Nov 22, 2005, at 4:25 PM, Hector Santos wrote:

How about the rights of the server? of the domain owner?

The signing-domain would be that of the administrative-unit
introducing the message.  Why is that not an adequate basis for
acceptance?


What's a "Administrative Unit?"

It is used in the draft, although Dave does not like the term either.
 2.  Email Actor Roles
http://www.ietf.org/internet-drafts/draft-crocker-email-arch-04.txt


What about the rights of the server, domain, the owner of the email domains being exploited?

Requiring an email-address owner to "authorize" who may sign their messages exposes them to the risks of the authorization itself. The authorization may be used to unfairly accrue behavior due to the "junk" they inadvertently authorize. This should sound familiar, as it is a scheme already in place. The email-address owner may quickly lose their right to have their messages accepted when authorizing third-party signers. This breaks current email practices and thus should win broader consensus before moving forward. Considering that SSP is a futile effort and that there are better methods to avoid spoofing, why should it?

For example, when this list implements a DKIM signature without other changes, then third-party signatures will need to be permitted. Why is the signature of the list-server alone not an adequate basis for acceptance? Email-addresses should not be held accountable unless S/ MIME or OpenPGP provides an expectation that the email-address owner and the signer are one in the same.

Consider a scheme where a prior correspondent is highlighted as the means to avoid spoofs of all sorts (including look-alikes). Just the existence of a DKIM signature would greatly improve filter heuristics without the authorization scheme. Deterministic criteria can be asserted without an authorization record, by the way. When only 'o=!' records exist, the overhead will be fairly high, especially for the spam that uses a series of wildcard labels in their addresses to avoid filters.


Do you think that a worm will not adapt and avoid "deterministic"
constraints?

But even if it did, it would be a lot better than your ""Take The First Strike" ideas where there is no incentive for adaptation.

If they have adapted and comply with your "deterministic" requirements, how have you avoided the "Blitz" attack or any other strategy? Why not depend upon the signing-domain as a basis for acceptance? This would anticipate network exploits as well as meeting your deterministic criteria. This puts you two moves ahead.



As a child, you may have enjoyed the game of tic-tac-toe.  Once you
better understood the game, you simply decide not to play.  When an
opponent also knows the game, you become aware there is no point.

I hope you realize the nonsense point you are trying to make also applies to both players. Once the bad actor knows there is no way to win, he will stop
trying just as well.

When your deterministic criteria can be met by the abuser, you have failed to win. They win when you don't. This is an expensive game when thousands of applications must be rewritten for a no-win scenario.

-Doug

_______________________________________________
ietf-dkim mailing list
http://dkim.org

<Prev in Thread] Current Thread [Next in Thread>