On Jun 8, 2006, at 4:35 PM, Jim Fenton wrote:
There was some discussion in today's Jabber about whether the use
of the
underscore character in the i= field of a signature creates a new
vulnerability. This originated with the following suggested text in
issue 1285 (https://rt.psg.com/index.html?q=1285):
: Although TLD managers are trustees for the delegated domain, DKIM
: introduces a security concern unrelated to domain delegation.
: Currently there are no contractual obligations barring gTLD, ccTLD,
: or SLD managers from publishing DKIM accessible keys within a
: "_domainkey" sub-domain. While this sub-domain can not be
: delegated as a domain due to the underscore character '_',
: unqualified sub-domains in the 'i=' parameter can be constructed
: to reference a key published by a higher level domain. These
: higher level keys expose all sub-domains to harm from a possible
: security breach at these higher levels. The only protection
: available to owners of all sub-domains would be established
: contractual obligations that currently do not exist. The simplest
: remedy would be to ban inclusion of any sub-domain beginning with
: the underscore '_' within these common higher-level domains.
First of all, I don't see any reason why the _domainkey subdomain
couldn't be delegated. In fact, we use the delegation of
_domainkey as
an example of how key management could be done when using an
outsourced
email provider.
In the revision, this was clarified. See:
http://mipassoc.org/pipermail/ietf-dkim/2006q2/003830.html
: Registry Operator Functional Specification Agreements normally
: preclude registering "_domainkey" due to the underscore character.
: This limitation is expected to also preclude TLD managers from
: publishing the "_domainkey" label as a subdomain.
Let's try to construct the problem case: Suppose someone managed to
register _domainkey.com. They could then publish keys in that domain,
and sign arbitrary messages on behalf of .com. That's obviously a Bad
Thing.
The Registry Operator Functional Specification Agreement normally
prohibits this character. A registered name must begin with an alpha
character. The rules governing the SLD may differ and some providers
may inject their own stuff as an alternative root.
The piece I'm missing is if it's even possible to register a domain
beginning with an underscore, or whether there are specific rules
preventing that.
The rules on per Registry operation per tld. The many that I have
examined all preclude registering a domain name that does not begin
with an alpha character. Obviously, the wildcard trick by Verisign
proved that anything could be synthesized. The correction to this
problem was to stop that activity from what I could conclude.
The delegation rule I cited above (that it is
possible) applies to DNS, but I don't know if other policies (ICANN,
perhaps) restrict that further with respect to domain registration. I
surfed a bit around ICANN but didn't find anything relevant. Does
anyone know?
Is I said, you need to look into each Registry Operator Functional
Specification Agreement.
So perhaps we need something like the following text: "Domains
MUST NOT
delegate the _domainkey subdomain unless they have the intent to allow
the delegatee to sign messages on behalf of the entire domain or
any of
its subdomains."
I'll post my summary and get your feedback.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html