ietf-dkim
[Top] [All Lists]

[ietf-dkim] Re: Issue #1521: Limit the application of SSP to unsignedmessages

2007-12-11 12:16:42
Jim Fenton wrote:

As others have noted, bypassing SSP based on a valid signature
from any arbitrary domain permits a trivial attack:  attackers
could sign messages using throw-away domains they control.

Yes, valid DKIM signatures from unknown third parties are rather
pointlesss, and using SSP in such cases to determine the opinion
of the PRA (nobody else's opinion is relevant) is a *good thing*.

BUT a valid DKIM signature from a known + trustworthy 3rd party
can be already good enough (JohnL's NY Times example) to ignore
the opinion of the PRA (e.g. skip the SSP check if not yet done),
that's an obvious case of "receiver policy".

And it's not some "out of scope" reputation scheme, it's a mere
white list, any receiver can do this, they don't need an RFC for
this task.

I fail to understand why these two simple scenarios are seen as
contradictions or even SSP-showstoppers here, they're both fine.

it's not possible to specify the circumstances under which an
SSP query should be done when a message is signed by other 
than the author domain.

+1  That's a receiver decision, and the SSP spec. should focus
    on the actions *after* the receiver decided to check SSP.

It can't say "do this no matter what", it can say "if you wish
to do this that's how it's done".  What's so difficult about
this, even RFC 4408 got it right, actually I'd think that a
receiver is free to abort the evaluation of S* at any point
with result "that takes longer than usual, so I give up now".

trust isn't an absolute:  while I might generally trust mail
signed by, say, ietf.org, I wouldn't expect that signature on 
transactional mail.

Fine, add a bit to your white list.  You're the receiver, you
can do anything you like, but don't lie to your users claiming
that you evaluated any S* when you didn't.

 Frank

_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html