ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]

2006-01-15 17:48:16
from [Douglas Otis] [Permanent Link] 

On Jan 14, 2006, at 11:33 AM, Stephen Farrell wrote:
The concern is not about leveling the playing field, but rather not giving the large domain a powerful club with which to beat the heck out of smaller domains. This requires avoiding any reason or excuse for an open policy to be published.
I don't get your logic there. What is the relationship between domain size and SSP that gives rise to a (technical) threat? I don't believe there is one.
a) The severity of the threat of being held culpable for an open-end policy reduces as the domain size increases.
b) When publishing a policy increases the rating of a message, accountability will effectively move to the email-address domain, which is exacerbated as the signing-domain gets larger.
Identities exposed by DKIM beyond the signing-domain are email- addresses: the key's 'g=' and the signatures 'i=' parameters, or discovery of a published policy referenced from a header's email- address. Common practices require an open-ended policy to avoid disruption. Despite this, finding a policy for an email-address will also likely increase the rating of the message. An increased rating could be done to encourage the publishing of policies which mitigate the policy search overhead. In the case of a foreign email-address being signed, neither the 'g=' or the 'i=' parameters can be used as an identifier. When the signing-domain represents tens of millions of users, and there is a targeted abuse by compromised systems with access (perhaps a result of the increased rating), acceptance due to a policy will then likely require the affected email-addresses be selectively blocked. For very large domains, blocking at the signature would not be practical, as this would disrupt messages from tens of millions of users.
The threat document speculates on the risks created by bad-actors. It seems appropriate to consider possible DKIM related dynamics, especially when there is a history that supports this concern. Many administrators consider an ideal system would _only_ hold the email- address domain owner accountable. Unfortunately, fairness would then rapidly become a casualty. DKIM can be engineered to avoid this unfairness. To do so, an open-ended policy should be avoided. 



[...paradox lost...]
For example, a second level domain "co.jp" publishes the 'o=.' policy. This would mean all sub-domains must then also publish a policy or forgo expectations of having their email accepted.
"o=." states that nothing in co.jp sends email (I hate those terse labels being used in discussion, whatever about in the DNS.) I assume that some enterprises in co.jp would complain mightily, i.e. that's not going to happen.
The SSP draft does not offer concise terminology, so the symbols are used instead. The second level domain may feel justified when the traffic becomes onerous. The paradox is that avoiding the use of open-ended policies to terminate the search has not been accommodated in the current design. As you suggested, closed policies would be highly disruptive. Fixing this problem only requires a minor change.
A mechanism to indicate the SSP record does not apply to sub- domains would ensure the search could end, but would then not be applied to the sub-domains. A separate mechanism not part of the 'o=' could be used, such as 'i=y' or 'i=n' for sub-domains inherit policy (yes/[no]).
Maybe. I could imagine some benefit were SSP to include allow inclusion of something like a "depth" value which'd say that this policy applies here and N more levels down. Sort of like the pathLenConstraint in X.509. But thats for later in any case when we're doing SSP.
This level complexity is not needed. "From here down", or "just here" should be sufficient.
When the signing/email domains don't match and "some legitimate messages are not signed or are signed by others" policy is discovered, how does this relate to what what messages are conformant?
That's up to the verifier and not in scope of threats. We might want to discuss a bit when its time to do SSP, but absent any demonstrated threat, its definitely for later I believe.
Contemplating how DKIM may be implemented is beyond consideration? This is not suggesting that any particular method be used by the verifier. This concern is based upon logical and possible scenarios and outcomes. Excluding possible behaviors by verifiers ignores some potentially serious issues. 

-Doug




_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-dkim] Re: some more comments on the threats draft, Stephen Farrell
Next by Date:  Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Jim Fenton
Previous by Thread:  Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Stephen Farrell
Next by Thread:  Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Stephen Farrell
Indexes:  [Date] [Thread] [Top] [All Lists]