-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have been avoiding this thread, because it does not apply to a
particular issue, but it seems to go on and on...
Jon Callas wrote:
It's been hard over the last few days to keep pace with all of the
messages here, so my comments are on the basic notion that Dave
had brought up.
I agree wholeheartedly with his basic premise, that SSP started off
being modest, and has grown into the experimental and
encompassing. I also agree that this isn't good.
What is the modest SSP that everyone speaks of? The first SSP draft
that I know of is draft-allman-dkim-ssp-00, dated July 9, 2005, prior
to the chartering of the DKIM Working Group. It contains the
"unknown", "all", and "strict" policies (although they were known as
~, -, and ! respectively), as well as a "no mail" policy. It not only
checks the local-part of the email address, it has a provision that
allows sender signing policy (as it was known then) to be expressed at
the user level. It searches up 5 levels of hierarchy to protect
against sub-sub-sub-domain attacks. It includes a reporting address
and a testing flag.
The only substantial thing that has been added is the handling tag.
In so many ways, SSP is much more modest now than before.
So I'm going to pull back and describe how I think we got here.
Back in the days of DKIM-base, we started with considering what
happens with broken signatures. We also believed that it would be
not uncommon for a legitimate message to get its signature broken
in flight.
When you consider what the receiver is supposed to do with a broken
signature, the first suggestion is, "Well, do what you did before
DKIM." This is legitimate, if unsatisfying. It is more
unsatisfying the more that signatures can be expected to land
unmolested.
By "do what you did before DKIM", I gather you mean that you consider
the signature not to exist. If broken signatures are treated any
better than non-existing signatures, this invites attackers to attach
invalid signatures to messages.
Secondly, if you consider the senders for whom DKIM is most
valuable -- big phishing targets -- they want the illegitimate
message thrown away.
This leads us to a nice confluence of events. The receiver has a
message it isn't sure what to do with, and the sender can offer
helpful advice. If the sender says, "I'd rather you threw away a
good message than accept a bad one," then the receiver has a hint
as to what to do with it. Don't bother trying to process it, just
junk it.
This is the "handling" flag, which was just introduced in the latest
draft.
Thus is born SSP, and thus is born the "I sign everything" policy.
This is non-controversial, we all think it's great. As a receiver,
if I see a broken signature, do an SSP check and if it says "sign
all" I can now just throw the message with the broken signature
away.
No, that's not what the "I sign everything" policy says at all. Since
the message doesn't have a valid signature, SSP says the message is
Suspicious. The verifier can use that information however it pleases.
However, next comes an addition to that. If we assume there are
active bad guys, they'll just send their bad messages with no
signature. Consequently, we can solve this by redefining a broken
signature to include messages with no signature. It doesn't take
much of a stretch to consider no signature to be merely the most
extreme form a broken signature. This way, we end up will all
forged messages pretending to be from a signing domain to be
dropped at the receiver.
Again, not dropped, unless you're talking about the handling tag.
This is undeniably a Good Thing. I support it, myself. However, it
is also precisely the place where SSP jumped the shark. All the
further mission-creep of SSP comes from this one
seemingly-innocuous, well- meaning change.
This *radically* changes SSP in two fundamental ways:
(1) It changes SSP from being a protocol that governs the error
condition of an optional protocol to being a protocol that governs
*every* email received by *every* MTA.
Application of SSP to only messages containing broken signatures has
*never* been proposed in any SSP draft. To do so would create an
incentive not to deploy DKIM: there would be the fear that
application of a DKIM signature might hinder delivery of messages,
because of the potential for breakage that would not exist for
unsigned messages.
(2) It changes SSP from being *guidance* that a sender gives to a
receiver to a *mandate* that the sender gives to the receiver.
Again, you are confusing the practices with the handling tag, and even
the handling tag isn't a mandate.
The first one is troubling for a number of reasons. When we started
DKIM, we told the rest of the IETF that this was an optional
protocol, you didn't have to use it, and so on. We also cooed
softly at the people who worried about the increased DNS use,
arguing many ways that this wouldn't dramatically increase the
global load on DNS all that much.
While this addition (SSP check on every message) is certainly a
Good Thing, it means that we've gone back on our word to the rest
of the IETF. I think it could be argued that that this violates the
DKIM charter, in spirit, if not in the letter.
I'd like to know what part of the charter you think this violates.
So, let me get this right: We allow domains to optionally publish a
policy (practice) that says "I sign everything" but we don't even
check that when we get something that isn't signed. How can that
possibly be useful?
The second one is much subtler. It's a principle of email sending
that the receiver can do whatever they want, no matter how stupid.
While it may be useful for the sender to offer hints and guidance
to the receiver, the sender cannot mandate. While I don't know how,
I see here the makings of an exploitable architectural flaw.
It's about as non-mandatory as I can think of making, other than
making it a non-normative implementation note (which of course I'll do
if the WG consensus says so). Beyond that, we're in the "treat the
message (hint-hint, nudge-nudge) with prejudice" realm, which is more
dangerous than being more specific, as Scott Kitterman has noted about
SPF.
I think we need to take a big step back from SSP. We need to
seriously look at all policies other than the original "sign
everything" policy and discuss them thoroughly. We need to
seriously look at that one little change and discuss how it
changed, as Dave said, the very *paradigm* of SSP.
I would like to know *when* it changed, and then I would have context
for *how* it changed.
I offer as a suggestion that we issue an SSP document that
describes only the basic broken-signature-only model of SSP with
only the one policy (sign-all). After that, we look at enhancements
to the model carefully. We seriously discuss whether they are
outside the charter because of the effect it has on the global
email infrastructure to turn DKIM from an opt-in protocol to a
you-must protocol. We also seriously have to look at other policies
to discuss their effectiveness along with their environmental
effects.
SSP in no way turns DKIM from opt-in to you-must. Domains that don't
publish SSP have their mail treated as non-Suspicious, regardless of
the presence or absence of signatures, which is the most favorable
category.
- -Jim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHYN7VR3t0p2Nw35URAre9AJ0UPKHDid1Lzf9ejdSPxqSMvc810gCghCbV
9y2u6y3ylbEW2JJ3vFHGIks=
=WnMn
-----END PGP SIGNATURE-----
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html