On Jan 5, 2006, at 10:34 PM, Jim Fenton wrote:
Douglas Otis wrote:
This chart also needs to be updated...
I'm trying not to have the SSP design discussion yet. While I like
the chart in general, I'm not sure I agree with all of the entries
in it either. I don't think it's necessary to correct it in order
to have the threat analysis discussion.
While any type of chart can be recommended, it does not change how
"open-authorizations" can be misused. The misuse of authorizations
is a _real_ threat.
The "hapless" email-address domain owner has the option of not
publishing a contact address (r= in the SSP is optional).
But the hapless email-address domain owner can not control those
administrators willing to equivocate about source identifiers.
The 'r=' suggests this is the entity that is seen as accountable.
Not publishing the SSP record offers more protection than not
publishing an 'r=' parameter.
There are no semantics defined for the r= tag; it is just a
"reporting address" and might not even be a person, so I wouldn't
call it accountable.
Being hammered with complaints would suggest otherwise. Placing any
"reporting" address at an authorization is simply wrong. The is a
hold-over from the equivocation that has occurred in the past. In
cases where there has been an exclusive policy such as '!' or '.'
then the signing domain remains just as unique. Only the signing-
domain should have a "report" link, never the authorization record.
"DKIM is effective in mitigating against the use of addresses
not controlled by bad actors,..."
This is the portion of the statement that is highly misleading.
DKIM is not effective at mitigating the use of addresses not
controlled by bad actors unless a "closed" authorization is used
such as '!' or '.'. A clarification that a "closed"
authorization is not compatible with many common uses of email
would also ensure that someone reading this would not be
dramatically mislead.
I guess it depends on what you consider to be a "mitigation". Note
that it does not say that it prevents the use.
For normal use, an authorization scheme used in conjunction with DKIM
does not offer an ability to mitigate the misuse of one's email-
addresses. There should be an admission that only in an exceptional
and highly restrictive case, can DKIM offer this protection in
conjunction with authorization. This then wanders down the road of
multiple from addresses, but again this depends upon how SSP is
resolved. There are some safe generalizations that can be made
about an authorization scheme, but the caveats regarding the use of
authorization should not be overlooked. Try to keep an open mind
about how DKIM offers protection. I would not be concerned by an
authorization scheme that only include the '!' and '.' policies.
Anything else invites equivocation and coercion with respect to what
is authentication, and who ultimately is held accountable.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org