Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]
2006-01-15 17:48:16
On Jan 14, 2006, at 11:33 AM, Stephen Farrell wrote:
The concern is not about leveling the playing field, but rather
not giving the large domain a powerful club with which to beat the
heck out of smaller domains. This requires avoiding any reason or
excuse for an open policy to be published.
I don't get your logic there. What is the relationship between
domain size and SSP that gives rise to a (technical) threat? I
don't believe there is one.
a) The severity of the threat of being held culpable for an open-end
policy reduces as the domain size increases.
b) When publishing a policy increases the rating of a message,
accountability will effectively move to the email-address domain,
which is exacerbated as the signing-domain gets larger.
Identities exposed by DKIM beyond the signing-domain are email-
addresses: the key's 'g=' and the signatures 'i=' parameters, or
discovery of a published policy referenced from a header's email-
address. Common practices require an open-ended policy to avoid
disruption. Despite this, finding a policy for an email-address will
also likely increase the rating of the message. An increased rating
could be done to encourage the publishing of policies which mitigate
the policy search overhead. In the case of a foreign email-address
being signed, neither the 'g=' or the 'i=' parameters can be used as
an identifier. When the signing-domain represents tens of millions
of users, and there is a targeted abuse by compromised systems with
access (perhaps a result of the increased rating), acceptance due to
a policy will then likely require the affected email-addresses be
selectively blocked. For very large domains, blocking at the
signature would not be practical, as this would disrupt messages from
tens of millions of users.
The threat document speculates on the risks created by bad-actors.
It seems appropriate to consider possible DKIM related dynamics,
especially when there is a history that supports this concern. Many
administrators consider an ideal system would _only_ hold the email-
address domain owner accountable. Unfortunately, fairness would then
rapidly become a casualty. DKIM can be engineered to avoid this
unfairness. To do so, an open-ended policy should be avoided.
[...paradox lost...]
For example, a second level domain "co.jp" publishes the 'o=.'
policy. This would mean all sub-domains must then also publish a
policy or forgo expectations of having their email accepted.
"o=." states that nothing in co.jp sends email (I hate those terse
labels being used in discussion, whatever about in the DNS.) I
assume that some enterprises in co.jp would complain mightily,
i.e. that's not going to happen.
The SSP draft does not offer concise terminology, so the symbols are
used instead. The second level domain may feel justified when the
traffic becomes onerous. The paradox is that avoiding the use of
open-ended policies to terminate the search has not been accommodated
in the current design. As you suggested, closed policies would be
highly disruptive. Fixing this problem only requires a minor change.
A mechanism to indicate the SSP record does not apply to sub-
domains would ensure the search could end, but would then not be
applied to the sub-domains. A separate mechanism not part of the
'o=' could be used, such as 'i=y' or 'i=n' for sub-domains inherit
policy (yes/[no]).
Maybe. I could imagine some benefit were SSP to include allow
inclusion of something like a "depth" value which'd say that this
policy applies here and N more levels down. Sort of like the
pathLenConstraint in X.509. But thats for later in any case when
we're doing SSP.
This level complexity is not needed. "From here down", or "just
here" should be sufficient.
When the signing/email domains don't match and "some legitimate
messages are not signed or are signed by others" policy is
discovered, how does this relate to what what messages are
conformant?
That's up to the verifier and not in scope of threats. We might
want to discuss a bit when its time to do SSP, but absent any
demonstrated threat, its definitely for later I believe.
Contemplating how DKIM may be implemented is beyond consideration?
This is not suggesting that any particular method be used by the
verifier. This concern is based upon logical and possible scenarios
and outcomes. Excluding possible behaviors by verifiers ignores some
potentially serious issues.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], (continued)
- Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Arvel Hathcock
- Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Douglas Otis
- Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Stephen Farrell
- Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Douglas Otis
- [ietf-dkim] open-ended threats (was: [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]), Frank Ellermann
- Re: [ietf-dkim] open-ended threats (was: [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]), Douglas Otis
- Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Stephen Farrell
- Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt],
Douglas Otis <=
- Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Stephen Farrell
- Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Jeff Macdonald
- Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Stephen Farrell
- Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Hector Santos
Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Jim Fenton
RE: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Hallam-Baker, Phillip
|
|
|