Re: [ietf-dkim] draft-ietf-dkim-ssp-02.txt ASP/SSP section 2.8

Douglas Otis wrote:


On Feb 5, 2008, at 10:46 PM, Hector Santos wrote:

With SSP-02/ASP, we lost the powerful SSP-01 DKIM=ALL protectionagainst 3rd party fraud.
An "all" assertion never implied all unsigned messages should berejected.


Not in SSP-02, but it was implied in all other previous drafts.

This assertion also never ensured receivers that third-partyhandling was avoided.

Sure it did, in SSP-00, SSP-01, it was very clear. We had policies thateither expected it or did not expect it.

This was removed in SSP-02, *intentionally neglectful* of the securityissues this removal creates.

Any damaged signature must be handled as if notsigned.

SSP-02 removes all semantics for REJECTION in policies other thanDKIM=DISCARDABLE where there is a explicit statement for REJECTION. Theimplication is sure the DISCARDABLE has clear instructions for REJECTIONand all others do not.

When signature fails and the only different is the policy and oneimplies to receivers "These Failure is rejectable" for DKIM=DISCARDABLEand "The same failures are not rejectable" in DKIM=ALL, not only doesthis lack common sense, it is foolish to believe that this inconsistencywill be tolerated by the general case receivers, thus making it muchmore difficult to consider DKIM in general.

I am not guessing here, I have a hard time accepting the idea of addingDKIM to our package because of this. Its going to make life moredifficult, not less, for my customers, I would be irresponsible to addsomething filled with flaws, false hope and high potential for moresupport issues than less. ASP is not helping the ANTI-SPAM problem, itis adding to it.

Otherwise, spoofed signatures permit a means to thwart policiesthat give credit for invalid signatures.


Exactly, that is what SSP-02 now provides!

The NEVER concept can still be covered using DKIM=DISCARDABLE and aNULL DKIM public key.
Disagree.  This is attempting once again at establishing that no email
is sent by the domain.

No, it is establishing the reality in the world where real companies andpeople who have domains which are never meant and used for email but itis forged, exploited and abused by bad guys, bulk mailers, spammersanyway. Is this not a reality?

The rub being that this assertion does notrequire DKIM to be involved.

If this was a Return-Path domain for which there is an STANDARDASSERTION of MX involvement, I can see your point. But we are nottalking about the Return Paths, but From: header domains and in thiscase, it is a DKIM involvement to consider the From: domain for MXcorrectness.


> If done, this assertion should be made

directly rather than requiring still more DNS transactions.


Two things:

First, I believe you were one of the principles in getting thequestionable MX lookup within the SSP-01/SSP-02 steps. It isn't evenoptional (SHOULD or MAY), but a MUST requirement. You shouldn't besurprise if RECEIVER ignore this MUST for the same conflictive reasonyou stated above that it is could be done as a separate protocol orprocedure outside of DKIM/SSP.

Second, how can you disagree with what is obviously possible where youhave no control or ignoring the fact you accessed a PUBLIC key?

If th public key is NULL, the DKIM signature is automatically invalidand if an ASP DISCARDABLE policy is used, it means REJECTION.

The EXCLUSIVE concept can still be covered using DKIM=DISCARDABLE.

Disagree.


But it is written in stone:

   discardable

   All mail from the domain is signed with an Author
   Signature.  Furthermore, if a message arrives without a valid
   Author Signature due to modification in transit, submission via
   a path without access to a signing key, or other reason, the
   domain encourages the recipient(s) to discard it.

Does it not mean what it says? I never was for explicit statements likethis and I don't think most WG participants ever was. All previousdocuments provided guidelines as either being "Suspicious" or"non-compliant" which for the most part is essentially code for"rejection" but IMV, its not normally good practice to be so directwith REJECTION statements in email.

Domains wishing to protect important transactional orcommerce related messages are unlikely to consider their messages"discardable".

Exactly, which in the end of the day, we all know that ASP is just awhite wash attempt to kill the entire idea of SSP.

When was changing the assertion from "strict" discussed?

Other than the ASP group attempt to get rid of it, it never happen hereopenly in the WG.

When would discarding a message be a recommended action?


When it is consistent with what was declared by the domain as unexpected.

Why is SSP attempting to define receiver actions?

It not about telling the receiver what to do but to HELP the receiverdetermine with zero false positive factors of what is expected and notexpected - its about protocol consistency.

If the DOMAIN says it doesn't expect 3rd party signatures, it would beincredibly dumb for a Receiver to ignore those factors, not just for thegood of the domain which has implicitly stated it would not takeresponsibility for a message it did not write or sign, but for thereceiver and its users as well to not use this unique detections to getrid of something that is clearly fraud or unauthorized or unexpected bythe domain.

In short, DKIM=ALL is the SPF version of SOFTFAIL where you can recordit, but you do not take any REJECTION action on it. Just like SPF.
Disagree.

Doug, you were militantly vocal against SPF for the same SOFTFAILreasons. As sure as the New York Giants are Super Bowl Champions, thenyou will be having belated recognized issues with ASP::DKIM=ALL failuresas well. :-)


--
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

_______________________________________________

NOTE WELL: This list operates according tohttp://mipassoc.org/dkim/ietf-list-rules.html