On May 24, 2007, at 12:06 AM, Stephen Farrell wrote:
We've had last call on the requirements document. You seem to me to
be repeating a request that wasn't accepted, but I've yet to track
back the issue tracker to check that. I hope I don't need to.
Our next step with the SSP requirements document is to push it to
the IESG (on Barry's to-do list I believe).
There is a clear desire to use DKIM in conjunction with some type of
domain based reputation service. However, DKIM has _not_ resolved
how replay abuse is to be handled. This becomes a security concern
when someone then suggests SPF is to be the means to associate domains.
Because DKIM has not resolved the issue of replay abuse, DKIM is
indirectly promoting a dangerous means to associate domains. The
DKIM WG should reconsider their strategy.
When a DKIM signature does not match the domain of an email-address,
the email-address is not assured. This should be okay.
When the EHLO does not match the DKIM domain, the recipient is at
risk of replay abuse when basing acceptance upon the DKIM domain.
Hence, when the DKIM domain does not match the EHLO domain, DKIM's
reputation MUST not apply. For many, this is _not_ okay.
---
One solution might be to negotiate the necessary elements for
permitting email providers to identify SMTP clients as being within
the signer's DKIM domain. However, most customers of an email
service provider will not be comfortable making such arrangements.
Another solution might be to publish a _single_ small record that
associates the EHLO domain with that of the DKIM domain. Such
associations would represent a type of authorization and indication
of trust. Such a scheme would not place either the email service
provider or their customer in jeopardy in being erroneously
identified for something beyond their control. The same record could
also indicate signing policy. This can be accomplished within one
and perhaps two DNS transactions _at the most_. It is _very_
important that the DKIM WG carefully consider the overhead
surrounding use of DKIM.
---
Some have rather wantonly dismissed concerns related to DNS records
able to cause a flurry of subsequent queries to _uninvolved_ domains
based upon various email-address's local-parts. Such records are
cached and can be reused _any_ number of times within a spam run
where these local-parts _will_ likely change. Some have wantonly
dismissed concerns related to DNS transactions demanded by a strategy
attempting to resolve _all_ IP addresses used by as many as _10_
different domains _all at once_. The level of DDoS amplification
this might involve is simply astounding!
The DKIM WG should carefully reconsider this issue for security
reasons alone.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html