ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Fenton-DKIM-Threat-02 3.1. Use of Arbitrary Identities (and SSP)

2006-01-09 15:41:23
from [Jim Fenton] [Permanent Link] 
Douglas Otis wrote:


Being hammered with complaints would suggest otherwise.  Placing any 
"reporting" address at an authorization is simply wrong.  The is a 
hold-over from the equivocation that has occurred in the past.  In 
cases where there has been an exclusive policy such as '!' or '.' 
then the signing domain remains just as unique.  Only the signing-
domain should have a "report" link, never the authorization record.


This is beyond the scope of the threats document.  Feel free to bring it
up again when we're discussing SSP.





"DKIM is effective in mitigating against the use of addresses  not
controlled by bad actors,..."




This is the portion of the statement that is highly misleading.  
DKIM is not effective at mitigating the use of addresses not 
controlled by bad actors unless a "closed" authorization is used 
such as '!' or '.'.   A clarification that a "closed"  authorization
is not compatible with many common uses of email  would also ensure
that someone reading this would not be  dramatically mislead.



I guess it depends on what you consider to be a "mitigation".  Note 
that it does not say that it prevents the use.



For normal use, an authorization scheme used in conjunction with DKIM 
does not offer an ability to mitigate the misuse of one's email-
addresses.  There should be an admission that only in an exceptional 
and highly restrictive case, can DKIM offer this protection in 
conjunction with authorization.  This then wanders down the road of 
multiple from addresses, but again this depends upon how SSP is 
resolved.   There are some safe generalizations that can be made 
about an authorization scheme, but the caveats regarding the use of 
authorization should not be overlooked.  Try to keep an open mind 
about how DKIM offers protection.  I would not be concerned by an 
authorization scheme that only include the '!' and '.' policies.   
Anything else invites equivocation and coercion with respect to what 
is authentication, and who ultimately is held accountable.


Goind back to the original statement, this has nothing to do with SSP. 
It simply says that bad actors can sign their own messages from their
own domains, and I think we all agree with that.

-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Jim Fenton
Next by Date:  Re: [ietf-dkim] Re: Fenton-DKIM-Threat-02 3.1. Use of Arbitrary Identities (and SSP), Jim Fenton
Previous by Thread:  Re: [ietf-dkim] Fenton-DKIM-Threat-02 3.1. Use of Arbitrary Identities (and SSP), Douglas Otis
Next by Thread:  [ietf-dkim] Re: Fenton-DKIM-Threat-02 3.1. Use of Arbitrary Identities (and SSP), Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]