[ietf-dkim] Re: Associated Signatures

On Jan 23, 2008, at 4:51 AM, Charles Lindsey wrote:

> On Tue, 22 Jan 2008 19:43:43 -0000, Douglas Otis <dotis(_at_)mail- 
> abuse.org> wrote:
> > On Jan 22, 2008, at 3:12 AM, Charles Lindsey wrote:
> >
> > > On Tue, 22 Jan 2008 02:32:28 -0000, Douglas Otis <dotis(_at_)mail-abuse(_dot_)org 
> > > > wrote:
> > > > 1) To be SSP "strict" or "all" compliant, the identity associated  
> > > > with a signature:
> > > Add:
> > > e) Each entity with a "strict" or "all" SSP within the following  
> > > headers
> > >    From, Sender, Resent-From, Resent-Sender
> > > must be matched by an associated signature (if, in some  
> > > complicated case,
> > > this requires the presence of several signatures, then so be it).
> > What benefit is derived by imposing an explicit i= parameter  
> > requirement on an originating header for "all" or "strict"  
> > compliance?
> I don't know, but what has that got to do with my suggestion above?
You said "an associated signature".  It was not clear whether you  
meant "associated" using the d= tag ignoring the i= tag, or using the  
i= tag (and its default)?
> > RFC 4871 does not require signatures to identify specific entities,  
> > and may produce ambiguous signatures lacking an i= local-part.
> A signature identifies a domain. By implication, it identifies any- 
> local-part(_at_)that-domain(_dot_)
A signature is allowed to not include the local-part, or might include  
the local-part of an email-address within the Sender header that is  
within the same domain as that of the From email-address in question.   
When the signature fails to include the local-part, the entity  
introducing the message remains ambiguous and such signatures do not  
identify any-local-part.   However, such an ambiguous signature  
currently satisfies "strict" compliance.  Nonetheless, a signature  
associated with the Sender header identifies who introduced the  
message, but currently does not satisfy "strict" compliance.
It would seem your agree that a signature on-behalf-of the Sender  
within the same domain as the From should satisfy compliance with  
either "strict" or "all".
> > For SSP to impose a requirement that signatures _MUST_ identify  
> > specific entities is beyond the WG charter.
> And nobody has suggested any such thing. Please look at my proposed  
> additional "e)".
> You (a verifier) see a bunch of addresses in a bunch of From/Sender/ 
> Resent-From/Resent-Sender headers.
> You also see a bunch of valid signatures on behalf of an assortment  
> of domains.
> So you look through the domains that are signed for, and you tick  
> off all the addresses in all those headers that contain those  
> domains (well, maybe only for the headers explicitly covered by the  
> signature, where "From" is alwys covered, of course).
When you said "explicitly covered by the signature, you mean those  
those headers included within the signature's hash?
> If, when you are done, you have ticked off all the available  
> addresses, then there is nothing to be suspicious about. But, if any  
> address has not been ticked, you are entitled to ask "why not?".
You wish to include SSP discovery for any header, rather than just for  
those within the From header lacking a signature within a domain at or  
above the email-address domain?
> So, for each unticked address, you look up the SSP, and if you find  
> some of them are 'strict' or 'all', then your suspicions are  
> aroused. What happens next depends on exactly how we define 'all'  
> and 'strict', including how they apply to the various headers (and  
> it may depend also upon your local policies and reputations that may  
> be to hand, but those considerations are beyond our scope).
Checking SSP for all headers might cause an excessive level of SSP  
discovery.  Excessive SSP discovery increases the overhead related to  
DKIM, and increases concerns related to DDoS effects.
> As to whether we need to consider all of From/Sender/Resent-From/ 
> Resent-Sender, we can discuss that. But consider, supposing Ebay has  
> a 'strict' SSP, how could
>   Sender: somebody(_at_)ebay
> legitimately come about and not get signed by Ebay?
This strategy could be done differently, while only focusing upon the  
From header email-addresses.
Any valid signature with a domain at or above the email-address domain  
contained within the From header removes the need to discover SSP for  
that domain.  An exception should be made for signatures using a g=  
restricted keys.  These restricted signatures must be on-behalf-of (i=  
tag match) with that of the From header to satisfy "strict" or "all"  
compliance.  In essence, only the From header email-addresses are  
protected by SSP policy.
> Or, suppose someone outside sends email to someone(_at_)ebay(_dot_)com who then  
> decides to resend it to someone outside. How could that NOT get  
> signed by Ebay on the way out?
This strategy could introduce an inordinate level of SSP discovery.   
Conversely, the Sender someone(_at_)ebay(_dot_)biz could be signed by ebay.biz,  
but should not satisfy "all" or "strict" compliance with a From of someone(_at_)ebay(_dot_)com 
.  However, when a signature is on-behalf-of (i= tag match) of the  
Sender of someone(_at_)ebay(_dot_)com, then an email-address of someone-else(_at_)ebay(_dot_)com 
 within the From header should still satisfy "all" or "strict"  
compliance where an exception is made only for signatures using g=  
restricted keys.
> > > > 2) SSP references should be done for:
> > > Add:
> > > bb) All From email-addresses PLUS the Sender address, if any
> > >
> > > +2
> > How many From email-addresses should be allowed?
> As many as the verifier can be bothered to check. If he sees 1000  
> From addresses he may assume it is just a DOS attack and discard the  
> whole message with no further checks.
When should a verifier decide to not discover SSP records?  At two,  
three, four, twenty, fifty?  When the verifier decides there are too  
many From email-addresses, the treatment given that message must be  
that of an SSP non-compliant message, or this situation becomes a  
means to bypass SSP checking.  This variable restriction becomes an  
unspoken limit that might cause messages to become rejected.
In addition, it would not be hard to place "From" within a folded  
Display Name to confuse recipients about the email-address really  
being the sixth email-address contained within the From header.
SSP MUST specify a limit or it will cause interchange problems.

> > What benefit is derived imposing policy for Sender headers?
> >
> > Would a From header referenced policy override a Sender header  
> > referenced policy?
> See my Ebay example above.
Due to MUA displaying the Sender header, this might seem logical.   
However, allowing a signature on-behalf-of the Sender header (within  
the same domain as that of the From email-address) to satisfy "strict"  
or "all" compliance, ebay remains protected when SSP policy is only  
checked for email-addresses within the From header.
> > Currently, a small percentage of emails are signed using DKIM.   
> > Sender header policy requirements substantially increases overhead  
> > related to SSP.
> In 99.99% of cases the sender domain will already be in one of the  
> Froms, so no additional overhead.
It seems there would be little benefit derived by the added overhead.   
The From email-addresses are where SSP conflicts are important, and  
where signatures are most needed.

> > > > 3) Keys restricted by a g= parameter are treated as valid and are:
> > > Add:
> > > a) SSP "all" or "strict" compliant only when on-behalf-of a From,  
> > > Sender,
> > > Resent-From or Resent-Sender header email address.
> > Allowing compliance with headers other than From permits a holder  
> > of a g= restricted key to sign a message purporting to be "From"  
> > anyone within the signing domain.  ...
> Where do you get that? Please provide an example.
Example 1:

Sender: ads-r-us(_at_)ebay(_dot_)com (i=ads-r-us, g=ads-r-us restricted key)
From: customer-service(_at_)ebay(_dot_)com
Subject: Account information requested

This should not be "strict" or "all" compliant.

While ads-r-us(_at_)ebay(_dot_)com would be a valid signature from ebay, g=  
restricting keys was an attempt to avoid local-part abuse.  When just  
the domain of signature is considered significant to handle cases like:
Example 2:

Sender: admin(_at_)ebay(_dot_)com (i=admin, unrestricted key)
From: general-manager(_at_)ebay(_dot_)com
Subject: New holiday hours

This must be "strict" or "all" compliant.  Otherwise, the signature  
would need to remain ambiguous about who introduced the message, or  
need to falsify a signature containing i=general-manager.   
Unrestricted keys MUST BE controlled by systems that assure compliance  
with the domain's signing policy.  It would be illogical and wasteful  
to require verifiers to discovery SSP for ebay.com and check whether  
Example 2 is compliant.  ebay MUST control which messages they sign  
using unrestricted keys.
-Doug





_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html