Re: [ietf-dkim] Re: DKIM and mailing lists

On Jan 23, 2006, at 1:51 PM, Frank Ellermann wrote:

> Douglas Otis wrote:
>
> > The proposal for the 'w=?' parameter is to identity three roles.   
> > The MSA, mediator, and MDA.
> An MSA probably knows what it is, also if it delegates the signing  
> to an additional "mailout" MTA.  I'm not sure about mediator vs.  
> MDA, do they always know what they are ?  Is that an important  
> difference in your SSP-alternative ?
Just as the 's=' and 'i=' need to be established, consistent with  
various rules, so would the 'w=' as a means to indicate both what  
role the signature represents, but also what elements within the  
message have been verified.

> And do you really mean MDA, not maybe MRN ?
The MDA signature role could encompasses any receiving MTA within the  
receiving AdmD.  I am not sure if that is the same as the MRN.

> If DKIM-aware MRNs wish to reject mails based on DKIM-checks they  
> can't check at the MDA, they've to do it at their border (= MXs).
Exactly.  The term MDA signature could read "a signature only  
suitable for the MDA".  The MDA signature provides a secure means to  
both overlay incoming signatures with a verification result and yet  
ensure the message is not spoofed by an injection into the receiving  
AdmD.  The MDA signature could not be used to stage a replay attack,  
as only an MDA within the domain of the MDA signature would accept  
the message.  Any abuse in that case would be within the control of  
the receiving AdmD and should not impact the reputation of the  
sending MTA.

> > The MDA is intended to provide a non-deliverable signature
> Shaky.  I understand only very small pieces of your w-model, if at  
> all, but IIRC that part was about protection against replay attacks  
> abusing the signature of the sender.
The MDA signature would be an optional method to protect messages,  
when incoming signatures are overlaid with the result of the  
verification.  The overlay protects against any recipient within the  
receiving domain from using the message to stage a replay attack.   
This keeps the receiving domain off the DKIM-Abuse-list.  Adding the  
MDA signature at the edge of the AdmD where the overlay should occur,  
protects the message as it travels to the MDA.
> In other words the sender has to trust that the receiver gets this  
> protection at his MDA (or before it) right.
When the sender finds that their messages are being replayed (perhaps  
a bad actor has gained access within the sending domain), when the  
receiving domain fails to protect the signature from this type of  
abuse, the sender may choose not to sign messages for that  
destination, or perhaps someday not send messages to that  
destination.  The signature overlay strategy allows holding the  
domain accountable, rather than dispersing accountability to each  
email-address when signatures are not overlaid.  Such dispersion of  
accountability at the email-address would create an impossible  
situation to manage.

> > there are more mediators than just list-servers.
> Good, bad, and ugly (the latter for "canonicalization") list  
> servers, the "bad" cases also cover gateways.  Then forwarders, for  
> DKIM they are all good, more or less the opposite situation as with  
> SPF, where lists are all good.
> What other mediators do you have in mind ?  The moderator of an  
> article submitted to more than one moderated group could be a  
> special case, and at the moment I can't say how that works.  But in  
> essence they only add "Approved" until either all moderators  
> approved it, and the last injects it into NetNews, or one of them  
> rejects it.
A mediator would be those MTAs offering a service where the message  
is not directly from the author identified by the From.  Such  
messages are subjected to modifications or the inclusion of  
modifications or content beyond the direct control of the author,  
while still using the same From header.  This could include gateways,  
but may include other types of services.  In the case where incoming  
messages routinely have their signatures overlaid, even simple  
forwarding where only the RCPT TO: header is being changed should  
fall within this category.  Depending upon the level of  
implementation of the forwarding agent, the signature may retain the  
role of MSA, or be altered to accurately indicate the role of the  
mediator.  This uncertainty of roles should not cause any problems  
for the recipient, as they specifically establish this arrangement.   
It would be helpful to retain original signature headers where only  
the 'b=' parameter is overlaid with the verification results.   
Stripping these signature headers could inadvertently remove valuable  
information.  When resending these messages by an mediator, the most  
recent MSA header should be retained as overlaid.  Any sending of a  
message should remove the MDA signatures.  When sending, an MSA  
should remove any mediator signatures.  When receiving, the MDA  
signature should retain the most recent mediator and MSA signatures  
as overlaid.

> Caught in my outbound:  Of course, forwarders supporting PRA try  
> their magic with Sender or Resent-* header fields. That could be  
> also "bad".  Why am I not surprised, sigh...
That too would be an example of a mediator.  Assume that the  
recipient uses source identifiers (which may be the From address:MSA  
signature) to recognize and highlight a previous correspondent.   
Assume that messages from list-servers (From address:mediator  
signature) should not raise a conflict, but rather are treated as a  
difference class of message sources.  Each role can be highlighted  
differently and registered separately, or simply ignored as less  
important.  I'll refrain from creating a table of happy faces with  
different color schemes.  : )

-Doug


_______________________________________________
ietf-dkim mailing list
http://dkim.org