Jim Fenton wrote:
When a message is received with a valid signature, the signer
is acknowledging that the message came from or through them.
[We should really work out the wording on this: do they "take
responsibility"? Are they "accountable"? But I digress.]
No, it's a good point. They might claim that it's not their
fault if their user is in fact a zombie. From the receiver's
POV they are still "accountable".
the email-address domain owner (to use your term) or
originating-address domain owner (to use mine)
Doug's vaguer term might be better until I know precisely what
you're talking about, "originator", "author", "sender", "PRA",
or what else. It's not the Return-Path and no "opaque-ID", so
far I'm still on your track.
If you transform it into draft-dkim-threats-00 I hope you'll
add more to appendix A: "Typically the 2822-From" is a trivial
case, if you really want that say "author" instead of "origin",
this would also exclude Resent-From.
What's ADMD ? Some kind of MTA either DKIM-signing messages,
or checking the signature, that point is clear. Your diagram
apparently suggests that the "signer policy" is only checked
for a "verified domain". Is that intentional, and how is it
supposed to work for unsigned mails ?
| Placeholder for some discussion of 2821 vs. 2822 solutions
Say that DKIM is by design independent of the transport, and
that has obvious advantages and disadvantages. Nothing in the
existing 2821 solutions is incompatible with DKIM. No need to
go into details, anybody who cares knows where to find tons of
Caveats for PRA, it's also simple to test it.
| These tools may or may not falsify the origin address
s/may or may not/typically allow to/ It's draft about threats,
not CAN SPAM compliant spam novices.
| and possibly networks of compromised computers ("zombies")
s/possibly// No doubt about that.
| Access to significant computing resources, perhaps through
| the conscription of worm-infected "zombie" computers.
s/perhaps/normally/ or similar, there's no doubt about this...
| Ability to "wiretap" some existing traffic
...OTOH that's rather special, isn't it ? No problem with
listing it as possibility, of course, if it later turns out
to be related to DKIM in some way.
| Certain attacks are possible primarily within the
| administrative unit of the claimed originator
This AU stuff invariably turns into a mouthful, why not use
Keith's term MON (mail originating network). It's perfectly
clear that a "zombie" can pick any route also available to
its former owner including any MSAs signing mail with DKIM.
| and/or recipient domain
"AU of the recipient domain" is also tricky, but Keith's MRN
is clear, who cares how they adminster or outsource their MXs
and AV, and in what adminstrative relationship they are with
the domain part of the original or replaced RCPT TO.
| DKIM focuses primarily on bad actors located outside of the
| administrative units of the claimed originator and the
| recipient.
That would be the "MON of the purported author(s)" if you're
talking about the 2822-From, and the MRN on the side of the
final RCPT TO. I skip further "AU" issues. Essentially it's
a matter of taste which terms you use, but with "AU" it tends
to get pretty verbose. In your short form "AU of the claimed
originator" it makes IMHO no sense.
[Internal bad actors on the MON side]
| DKIM is not directly effective against these bad actors.
Of course not. It might make it worse if the bad actors get a
DKIM PASS, isn't that the main threat ?
| DKIM is effective in mitigating against the use of addresses
| not controlled by bad actors
That's unclear, which addresses, author(s) / sender / PRA ?
Nit or my DEnglish, shouldn't that be "against the abuse of" ?
| In other words, the presence of a valid DKIM signature does
| not guarantee that the signer is not a bad actor.
ACK, same as SPF PASS. Even if it's no stranger, it could be
somebody we know turned into a zombie.
| It also does not guarantee the accountability of the signer,
What do they sign it for if they're not accountable ? That's
different from SPF PASS. For the latter you can at least send
bounces and auto replies without hitting innocent bystanders -
incl. any SPF PASS of bad actors. JFTR, nothing you need to
mention in your draft.
| accreditation and reputation systems can be used to enhance
| the accountability of DKIM-verified addresses and/or the
| likelihood that signed messages are desirable.
Better add "white or black listing" as example / explanation,
3.2 is about "eBoy", how about s/specific/look-alike/ or a
similar term ? IMHO DKIM will be not completely ineffective:
If I'm used to see a PASS for paypal.com, and get a NEUTRAL
for mail.paypal.com.au, then it's "suspicious". Creating a
funny thread on the spamcop list for that fresh and real case.
| Compromised system within originator's | Medium | Medium |
| network | | |
That could be "high + low" for a phish. Or for a mail worm
installing a keylogger it could be "high + medium". It's the
case I most worry about: White listed address with DKIM PASS
turned into a zombie.
It's no "DKIM bug" or something, but it's a real danger, where
any scheme offering some kind of PASS could make it worse, if
receivers aren't educated to stay vigilant.
| It may also help locate the compromised system that is the
| source of the messages more quickly.
Yes, that "may" help. No much progress with that, blocking
port 25 is a cheap snake oil.
| Look-alike domain names | High | High |
Oops, yes, you're right, I forgot that they will get a PASS for
their look-alike domain. IMHO you can delete I18N as special
"high : medium" case, soon nothing will be special with IDNA.
[multiple authors]
| This is an area in need of further study.
Yes, but "pick the first" sounds like a good idea. Even very
stupid MUAs should somehow manage to display at least the first
author (in all scenarios with bad actors).
All in all no serious problem, if we can agree on talking about
author(s) for the 2822-From. Not "origiator", PRA, or "sender"
unless you seriously want it after you have precisely defined
it, RFC, section, paragraph, sentence. That's burnt territory.
Maybe a stupid metaphor, AU is like NFKD, MON + MRN like NFKC,
both are fine, but you need the latter for your threats draft.
Bye, Frank
_______________________________________________
ietf-dkim mailing list
http://dkim.org