ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ietf-dkim] Re: requrements-01// security concerns regarding policy domain designations rather than delegations

2006-09-19 15:13:30
from [Frank Ellermann] [Permanent Link] 
Douglas Otis wrote:


Only strict 2822.From policy can act as a basis for
rejection, but this does not permit non-compliant services
that will continue to be used for a long time.


If senders and receivers remove non-compliant services from
the picture:  good riddance.  I'm more worried about normal
2822 applications.  The -01pre text has this as use case:

Users are free to resend mails to somebody else, and that
has to work with new receivers supporting strict SSP.


It is my understanding the powers-to-be decided coping with
transition is not needed at this time.


Overruling Phil in a security question.  The SHA-256 design
"patent" not even submitted to the IETF IPR page.  If Paul
states that that's no problem I'd believe it.


RFC4408 enables various DDoS and DNS poisoning attacks as
previously described.


That's about as relevevant as the mail arriving with 25 DKIM
signatures (one valid), after you got a million you'd figure
out how to disable DKIM verification temporarily.


based upon just the "fail" as commonly required to avoid
delivery issues, less than 3% of spam is blocked.


Not too shabby.  The idea is to get this to almost 0%, because
no bad actor tries it anymore.  You probably also get a few
"pass", for those you don't need to worry about DSNs, they're
desired.  The 90% in between are not worse as before.  And as
others said, any scheme is futile if receivers don't like it,
they must get something for their effort.  It's sad that DKIM
and SSP don't fit into the SIQ concept (or rather I don't see
how), that could be a killer application.


violating proprietary algorithms


That was the other beast, SID and 2822.  For the PRA part I'd
still say that 2822 is prior art.  Given a 2822 header minus 
Return-Path it's "obvious":  Noting that in RFC 4407 was an
excellent idea, but it's neither proprietary nor experimental.
Unless ignoring the Return-Path is the "experiment"... :-)


the threat draft offers poor guidance for the policy effort.
The policy requirements draft appears to be a continuation
of this short-sighted view. : (


The -01pre draft is more like a summary of points discussed
here, the real security considerations go into SSP proper.

Frank


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-dkim] tracker/jabber info, Tim Draegen
Next by Date:  [ietf-dkim] Re: tracker/jabber info, Frank Ellermann
Previous by Thread:  [ietf-dkim] Re: requrements-01// security concerns regarding policy domain designations rather than delegations, Frank Ellermann
Next by Thread:  [ietf-dkim] tracker/jabber info, Tim Draegen
Indexes:  [Date] [Thread] [Top] [All Lists]