ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Underscore considerations

2006-06-08 17:23:00
Jim Fenton wrote:

There was some discussion in today's Jabber about whether the use of the
underscore character in the i= field of a signature creates a new
vulnerability.  This originated with the following suggested text in
issue 1285 (https://rt.psg.com/index.html?q=1285):

: Although TLD managers are trustees for the delegated domain, DKIM
: introduces a security concern unrelated to domain delegation.
: Currently there are no contractual obligations barring gTLD, ccTLD,
: or SLD managers from publishing DKIM accessible keys within a
: "_domainkey" sub-domain. While this sub-domain can not be
: delegated as a domain due to the underscore character '_',
: unqualified sub-domains in the 'i=' parameter can be constructed
: to reference a key published by a higher level domain. These
: higher level keys expose all sub-domains to harm from a possible
: security breach at these higher levels. The only protection
: available to owners of all sub-domains would be established
: contractual obligations that currently do not exist. The simplest
: remedy would be to ban inclusion of any sub-domain beginning with
: the underscore '_' within these common higher-level domains.

First of all, I don't see any reason why the _domainkey subdomain
couldn't be delegated.  In fact, we use the delegation of _domainkey as
an example of how key management could be done when using an outsourced
email provider.

Let's try to construct the problem case:  Suppose someone managed to
register _domainkey.com.  They could then publish keys in that domain,
and sign arbitrary messages on behalf of .com.  That's obviously a Bad
Thing.

The piece I'm missing is if it's even possible to register a domain
beginning with an underscore, or whether there are specific rules
preventing that.  The delegation rule I cited above (that it is
possible) applies to DNS, but I don't know if other policies (ICANN,
perhaps) restrict that further with respect to domain registration.  I
surfed a bit around ICANN but didn't find anything relevant.  Does
anyone know?
Even if you could, and even if a registrar were boneheaded enough to shoot
their own foot, how hard could it possibly be for a DKIM verifier to enumerate
the TLD's and not accept selectors from that set of blacklisted _domainkey
delegations? Am I missing something?

      Mike
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html