ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Re: Message Replay Abuse and Acceptance of a Signature

2006-01-22 09:34:20
On Sun, 2006-01-22 at 10:25 +0100, Frank Ellermann wrote:
Douglas Otis wrote:

A Low Administrative Solution Insensitive to High Latency:
 
Just as email domains check lists when deciding to receive a
message, they now also check a list to decide whether to
sign, or perhaps even send a message.
 
With this paradigm, as a best practice, to ensure Company X
that it is safe for them to send their newsletter, Domain Z
replaces the incoming signature with an MDA specific
signature at the edge of their AdmD.  An MDA specific
signature can not be used to resend a message, but still
allows users of Domain Z to be assured the message is valid, 
and the completed by Domain Z when the message first arrived.

Any sender X arranges something with most of its receiving Zs.
Any receiver Z arranges something with most of its inbound Xs.

Perhaps for a great while, the choice would be whether is is safe to
sign the message or not, when hoping to retain the acceptance value of
the signature.  The replay abuse problem will effect both large and
small domains.  Checking a DKIM-Abuse-List (negative) or DKIM-Adopters-
List (positive) does not represent any 1:1 arrangements.  Commerce
related transactions may wish to use a negative list, and list-servers,
newsletters and the like, may be safer with a positive list.  Community
lists represent roughly the same level of care and cooperation exercised
in the process of receiving email for most domains.

Why do they need DKIM for that ?  CSV or SPF should be enough.

For any crypto scheme, CSV could be useful to guard being overwhelmed
with bad actors by using a name-base reputation scheme.  Retaining
protection in the name space prevents collateral blocking and allows
double use for the DKIM-Abuse-List.  The minimums in SPF can make being
overwhelmed worse, even beyond the path registration issues.

The DKIM signature however indicates the AdmD providing initial access
and not just the last hop.  When there is an abuse problem, DKIM would
be effective at indicating the source of the problem.  DKIM would be
effective at indicating the source of the message for recognition and
recognition signaled security as well.  Signaling anything based upon
email-address conformance would be highly unsafe, severely limiting the
value of SSP.

Review the dkim-options draft.  The signature header is not removed,
just the 'b=base64' is obfuscated with a result indicating whether the
MDA verified the signature upon acceptance.  To prevent intra-AdmD
spoofing, the MDA does the obfuscation and resigns the message and
overlaid signatures.  A Public-Key is not necessary for the MDA
signature.  The MDA 'w=' parameter ensures this signature will not be
accepted by any other AdmD.

-Doug




_______________________________________________
ietf-dkim mailing list
http://dkim.org