Douglas Otis wrote:
Perhaps this can help with context.
[very good chart removed for brevity]
This chart is not finalized, but the direction raises serious
concerns. This chart appears to be an attempt to hold the email-
address domain owner culpable. It is also disheartening to see the
email-address domain owner offers a reporting address, but not the
signer. There are alternatives to SSP, but following this direction...
The chart does not hold anyone culpable. When a message is received
with a valid signature, the signer is acknowledging that the message
came from or through them. [We should really work out the wording on
this: do they "take responsibility"? Are they "accountable"? But I
digress.] What SSP does is to strengthen what can be said of a message
without a valid signature: it gives the email-address domain owner (to
use your term) or originating-address domain owner (to use mine) the
ability to assert that they didn't send the message. So it makes them
less culpable, not more.
It's true that there is no reporting address associated with the signer
(there is the n= (notes) field in the key record, but no guidance about
putting a reporting address there). That is perhaps something that
should be added; do you think it belongs in the key record or in the
signature itself?'
When reputation of the email-address domain owner takes precedence
over that of the signer, this could coerce the authorization into
becoming "closed" ('!'). To lessen disruption caused by the "closed"
authorization, the PRA algorithm could be used. With Jim suggesting
Sender-ID may solve the replay issue, this algorithm will need to be
licensed anyway. Any "open" authorization offers no protection for
either the email-address domain owner or the recipient whatsoever
anyway. (It would seem the protection being sought is for the
provider.) Being culpable for authorization takes the burden of
reputation the provider would normally carry and places the
reputation burden onto the hapless email-address domain owner,
perhaps in the form of user-feedback.
The coercion you describe depends on how the reputation system
operates. It's unwise to assume that it operates under any particular
set of rules.
With respect to the replay issue, I only want to point out that DKIM
does not need to operate in a vacuum. I do not want to tie it to any
other message authentication technology.
The "hapless" email-address domain owner has the option of not
publishing a contact address (r= in the SSP is optional).
Fenton-DKIM-Threat-02
3.1. Use of Arbitrary Identities
...
DKIM is effective in mitigating against the use of addresses not
controlled by bad actors, but is not effective against the use of
addresses they control.
----
This effectiveness would be dependent upon the use of '!' (EXCLU)
authorization. Such setting however would be incompatible with
several practices. To be compatible with today's common practices,
authorizations would need to be '~' (NEUTRAL) or "open-ended."
It would seem the statement "is effective" should be changed to "may
be effective only when the '!' authorization is being employed. This
'!' authorization is not compatible with many possible uses."
This paragraph is talking about addresses controlled by bad actors. The
point is that bad actors that own particular domains can sign messages
(i.e., you can't use the presence of a signature to say that a bad actor
didn't originate it). It has nothing to do with SSP.
-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org