Re: [ietf-dkim] Re: Associated Signatures

On Jan 24, 2008, at 4:36 AM, Charles Lindsey wrote:

> On Wed, 23 Jan 2008 19:44:47 -0000, Douglas Otis <dotis(_at_)mail- 
> abuse.org> wrote:
> > On Jan 23, 2008, at 4:51 AM, Charles Lindsey wrote:
> > > > What benefit is derived by imposing an explicit i= parameter  
> > > > requirement on an originating header for "all" or "strict"  
> > > > compliance?
> > > I don't know, but what has that got to do with my suggestion above?
> > You said "an associated signature".  It was not clear whether you  
> > meant "associated" using the d= tag ignoring the i= tag, or using  
> > the i= tag (and its default)?
> OK, an address in one of those headers matches the signature iff the  
> various d=, i= and g= tags so determine according to RFC 4871,  
> taking the local-part of the address into account if necessary.
I do not agree with a local-part exclusion.

DKIM-Signature: i=admin(_at_)example(_dot_)com d=example.com ... (no g= parameter  
in key)
Sender: Tom Smith <admin(_at_)example(_dot_)com>
From: Will Jones <W(_dot_)Jones(_at_)eng(_dot_)example(_dot_)com>

This signature indicates the message is compliant with example.com's  
signing policy.  There should be no reason for a recipient to check  
example.com's SSP record.  If they did and it indicated an assertion  
of "all" or "strict", this message should be considered complaint.
Inspection of this signature also indicates which entity introduced  
the message.  Matching this identity with the header might lead  
recipient's to conclude Tom Smith introduced the message as a Sender  
on behalf of Will Jones <W(_dot_)Jones(_at_)eng(_dot_)example(_dot_)com>, but this header  
MUST be included within the signature's hash before reaching that  
conclusion.
When highlighting whether a message is signed, and by whom, this  
highlighting should be limited to information included within the  
signature's hash.  The signature's coverage with respect to From  
header compliance should also consider the g= and t= parameter when  
signing for other identities not within the From header.
> > It would seem your agree that a signature on-behalf-of the Sender  
> > within the same domain as the From should satisfy compliance with  
> > either "strict" or "all".
> Yes, unless there is a g= tag that does not encompass both.
Agreed.

> > > If, when you are done, you have ticked off all the available  
> > > addresses, then there is nothing to be suspicious about. But, if  
> > > any address has not been ticked, you are entitled to ask "why not?".
> > You wish to include SSP discovery for any header, rather than just  
> > for those within the From header lacking a signature within a  
> > domain at or above the email-address domain?
> Yes, it should apply to any header which ought not to have escaped  
> outside the signers boundary without being signed, according to his  
> published SSP. Our SSP draft would specify exactly which those  
> headers were (and maybe there would be more tags in the SSP records  
> than we have proposed so far).
I do not agree.  It seems reasonable to limit SSP compliance to only  
the From email-addresses.  However, unrestricted signatures for other  
headers must also be considered proof of policy compliance.  SSP  
definitions must reflect the concept that a signature _defines_ the  
signer's policy.
> > > Checking SSP for all headers might cause an excessive level of SSP  
> > > discovery.  Excessive SSP discovery increases the overhead related  
> > > to DKIM, and increases concerns related to DDoS effects.
> NO IT DOESN'T, because we all agree that these cases of multiple  
> different addresses in the headers mentioned are going to be  
> exceedingly rare. In 99.99% of cases there will be just one From  
> address, the Sender (if present) will be from the same domain, and  
> there will be no Resent-* headers at all.
This might depend upon the level of email being handled.  Expecting a  
process to discover SSP records for an unlimited number of domains is  
not safe for the receiver or potential targets of the transactions.   
The resulting overhead is more than able to result in a denial of  
service.
> > > As to whether we need to consider all of From/Sender/Resent-From/ 
> > > Resent-Sender, we can discuss that. But consider, supposing Ebay  
> > > has a 'strict' SSP, how could
> > >  Sender: somebody(_at_)ebay
> > > legitimately come about and not get signed by Ebay?
> > This strategy could be done differently, while only focusing upon  
> > the  From header email-addresses.
> You haven't answered my question. If you see a message with no  
> mention of Ebay in its From, but with Sender: somebody(_at_)ebay and with  
> no signature from Ebay (who claim to sign everything leaving their  
> boundary), then how can that message possibly NOT be bogus? That  
> seems to be a sufficient reason for saying that 'all'/'strict' ought  
> to include whatever is in the Sender.
When ebay signs a message containing Sender: somebody(_at_)ebay and happens  
to contain a From also within their domain, then this message (with  
the possible exception of g= t=s key parameters) must be considered  
complaint.  The protection being sought is for the From header.  If  
you feel it is important to also protect the Sender header, that is  
your prerogative.  A view that the domain of the signature provides  
compliance works for any header.  Including the Sender header will  
significantly increase the number of SSP discoveries needed to support  
protection of From and Sender headers since most messages are not  
signed.
> > > Or, suppose someone outside sends email to someone(_at_)ebay(_dot_)com who  
> > > then decides to resend it to someone outside. How could that NOT  
> > > get signed by Ebay on the way out?
> > This strategy could introduce an inordinate level of SSP discovery.
> HOW? Do you suppose that the number of outside messages Resent by  
> Ebay will be more than a tiny fraction of the messages originating  
> within Ebay itself?
The number of Sender headers found in messages has increased due to  
the use of the PRA algorithm.  There will be a large number of  
messages containing different domains in the From and the Sender  
header.  Protection of the Sender header separately from that of the  
From requires an increase of SSP discovery.  Is that increase worth  
doing?  What abuse would it prevent?
> > > > How many From email-addresses should be allowed?
> > > As many as the verifier can be bothered to check. If he sees 1000  
> > > From addresses he may assume it is just a DOS attack and discard  
> > > the whole message with no further checks.
> > When should a verifier decide to not discover SSP records?  At two,  
> > three, four, twenty, fifty?
> When the number gets big enough that the DNS overhead REALLY really  
> starts to hurt. If I had to choose one of those numbers to write  
> into our document as the minimum that SSP owners could reasonably  
> expect to be accepted, then I would choose "fifty", as being way  
> beyond any normal usage and still not likely to enable a serious DOS  
> attack on the DNS system.
This view can result in a significant amount of targeted traffic.  10  
would represent a network amplification that might be seen with many  
other types of attack.
-Doug
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html