On Sat, 2006-01-14 at 05:40 +0100, Frank Ellermann wrote:
Douglas Otis wrote:
That leaves us with one interesting case, "open-ended" signing
policy without related signature, but a PASS for a third party
signature. In that case complaints should be of course sent
to the signing-domain, not to the signing policy domain owner
(or to the From address, maybe replacing the LHS by abuse@).
Absolutely. Which is why it is wrong to include a reporting vector in
the email-address domain owner's policy statement. The reporting vector
should be solely defined for the signing domain.
I don't see any specific threat here related to "open-ended"
or "closed" policies. No signature is like NEUTRAL, receivers
can't do much with it (except from screwing-up), it's a polite
form of saying "thanks for supporting DKIM or SPF resp., but
for this mail you wasted your time".
The email-address domain owner _may_ be held culpable for "open-ended"
policies as these allow abuse. Although such treatment would be unfair,
nevertheless being unfair, intentionally or not, would be beneficial to
larger domains. Not defining the publishing any "open-ended" policies
within the SSP draft would prevent this concern, as would removing the
reporting vector. DKIM should make it clear the signing-domain and
_not_ the email-address domain must be held accountable.
Finally, why should bad actors intentionally try to abuse
addresses with "open-ended" policies ? IMO that's a stupid
plan, receivers used to get "SPF PASS" or "DKIM valid" or what
else would of course look twice if they suddenly get only a
NEUTRAL or no signature or a broken signature.
Consider the situation where the majority of email with a DKIM signature
is done by providers that place no restrictions upon the email-address.
Of those emails where the email-address has a policy record that affirms
third-party signatures are used, this will likely obtain a higher
ratings over email-addresses where nothing has been affirmed. Just as
not publishing a reporting vector in the email-address policy prevents
Really Stupid(tm) behavior, not publishing "open-ended" policies
prevents the same Really Stupid(tm) behavior.
I don't think there is any question that a closed policy will
prevent the use of most list servers, for example. Posting
to a list is a common use.
Nothing forces domain owners to publish closed policies, we've
already discussed this. The WG charter says that the WG will
consider mailing lists, and that's a topic for the SSP draft.
Publishing a closed policy is okay for those domains that do not mind
disrupting common practices. At the same time, those domain owners
should also be aware this may only change the nature of abuse, such as
increasing the prevalence of display-name, look-alike, tld, and
hyphenated attacks.
For those domains, such as access providers, that do not wish to disrupt
their customers use of email, the act of the provider signing email (a
good thing) may put their customers at risk when their customers are
coerced into publishing some type of open policy. Not providing any
open-ended, or third-party signer listings mechanisms should curtail
coercive tactics or unfair reputations placed upon the email-address
domain owner. This can be done while _still_ allowing closed polices.
And also for the base draft wrt invalidated signatures. But
IMO not for the threats draft. Unrelated, there are now some
IETF pages for the WG: <http://tools.ietf.org/wg/dkim> Bye
Thank you for the link. : )
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org