On Jan 5, 2006, at 3:41 PM, Jim Fenton wrote:
Douglas Otis wrote:
Perhaps this can help with context.
[very good chart removed for brevity]
This chart also needs to be updated to remove the '?' qualifier I
believe. As I indicated, the chart still raises concerns. Having a
signature without a policy is provided a lower rating than not having
a signature. The same is true for 3rd-party signatures. This is
dunning those without policies and discounting the signer. That is
being coercive. This is bad as publishing the SSP record also
increases the exposure to those administrators willing to equivocate
about source identifiers. Having an "open" authorization increases
risks in those cases. The chart should assume the sender is
intelligent and publishes nothing in these cases. There should be
only two policies possible '!' and '.'. Anything other policy is
foolish. The rating scheme should emphasize the signer over the SSP
record, but when paired down to just these two policies, that
situation is resolved.
The chart does not hold anyone culpable.
Spend a bit more time studying the matrix. Why demerits for not
having a policy or for using third-party signatures? Why is the
email-address domain owner (I don't want to assume they are actually
the originator) the entity publishing a contact? There has been at
least a solid two years of arguing (not with you) that authorization
is not authentication, but this chart seems to be based once again
upon this false assumption. : (
When a message is received with a valid signature, the signer is
acknowledging that the message came from or through them.
The terminology should be specific. "Only the signing-domain is
accountable for the message."
[We should really work out the wording on this: do they "take
responsibility"? Are they "accountable"? But I digress.] What
SSP does is to strengthen what can be said of a message without a
valid signature: it gives the email-address domain owner (to use
your term) or originating-address domain owner (to use mine) the
ability to assert that they didn't send the message. So it makes
them less culpable, not more.
This statement assumes the authorization is '!' which breaks the way
email works. Messages to this list would be lost for example. For
normal uses, SSP does not offer one iota of protection. Of course,
when the DKIM signature is used as a basis for recognition, no
authorization is needed and yet protection is still be afforded. : )
It's true that there is no reporting address associated with the
signer (there is the n= (notes) field in the key record, but no
guidance about putting a reporting address there). That is perhaps
something that should be added; do you think it belongs in the key
record or in the signature itself?'
Perhaps it would make sense to establish a convention, DKIM-
POSTMASTER@ perhaps. If this seems too rigid, perhaps an entry in
the key, but this makes the key even larger. Adding the reporting
address within the header could be problematic for delegated keys.
The coercion you describe depends on how the reputation system
operates. It's unwise to assume that it operates under any
particular set of rules.
After the last few years, I too agree that it would be unwise to
assume how reputation is applied. This is why it would be less than
intelligent to publish any policy other than '!' or '.'.
With respect to the replay issue, I only want to point out that
DKIM does not need to operate in a vacuum. I do not want to tie it
to any other message authentication technology.
Keep in mind there is a header selection conflict between DKIM and
Sender-ID. The conclusion reached more than a year ago, "open-ended"
authorizations are worthless. As the only safe policy to publish is
"closed," this suggests the PRA algorithm should be re-examined,
especially if Sender-ID is considered a means to offer replay
protections. There is also an alternative to the authorization
scheme that offers better protections. CSV and In-Channel checks
could be yet another alternative for message replay abuse. Leave the
email-address domain owner harmless. Only the administrator knows
who is using the email-address.
The "hapless" email-address domain owner has the option of not
publishing a contact address (r= in the SSP is optional).
But the hapless email-address domain owner can not control those
administrators willing to equivocate about source identifiers. The
'r=' suggests this is the entity that is seen as accountable. Not
publishing the SSP record offers more protection than not publishing
an 'r=' parameter.
Fenton-DKIM-Threat-02
3.1. Use of Arbitrary Identities
...
DKIM is effective in mitigating against the use of addresses not
controlled by bad actors, but is not effective against the use of
addresses they control.
This paragraph is talking about addresses controlled by bad
actors. The point is that bad actors that own particular domains
can sign messages (i.e., you can't use the presence of a signature
to say that a bad actor didn't originate it). It has nothing to do
with SSP.
"DKIM is effective in mitigating against the use of addresses not
controlled by bad actors,..."
This is the portion of the statement that is highly misleading. DKIM
is not effective at mitigating the use of addresses not controlled by
bad actors unless a "closed" authorization is used such as '!' or
'.'. A clarification that a "closed" authorization is not
compatible with many common uses of email would also ensure that
someone reading this would not be dramatically mislead.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org