Re: [ietf-dkim] draft-ietf-dkim-ssp-02.txt ASP/SSP section 2.8

Eric,

I sincerely appreciate your response and I do hope you are on your wayto full recovery from your surgery. I had a hip replacement a few yearsback and it was the first time in a long time I was forced into aprolonged 'vacation' from work. :-)

It been a long road to where we are now. A road where we tuned nearlyevery stone and discussed, and even worked out. There were someremaining issues, but ones that I don't believe were not addressable.

The best I can describe the concerns is that we lost the potential forprotocol consistency fraud.

For example, you pointed out SSP-01 DKIM=ALL offered 3rd partysignatures and this could be deemed weaker, I agree with that point.

However, I never indicated that a VALID 3rd party was ever classified assecured, but the lack of one is were the power of the concept is found.

The concept is really nothing new compare to other fraud detectionconcepts, things we all do in some form or another, include SMTP.

A simple example is a traffic cop requesting and analyzing your driverlicense. The officer is first going to make sure that the attributesindicated on the card matches what he sees in person. If the driver is a20 year old woman and the license says 60 year old man, then this amongother thing he can compare raises a red flag.

Anything that doesn't conform to expectations is always the first thingpeople notice. As you know, this is a basic model in lots of things we do.

In our SMTP world, an excellent example is PORT 25 and its relaxed SMTPcompliance versus PORT 587 and its strict SMTP compliance requirements.i.e, EHLO checking under port 25 is recognized as low benefit for manyhistorical reasons. Under port 587, EHLO correctness is a requirement.Same with other expects between the two protocols. In short, PORT587 has less tolerance towards legacy operations - by design. You mustlogin. You must have certain headers, etc.

Even in standard SMTP port 25 operations, we have basic x822 headerrequirements that some systems may be very strict about if they don'texist in the DATA block or post SMTP processing. But there is no BCP forthis.

But with DKIM/SSP we can take control of this now and not allow it tobecome yet another "relaxed" protocol.

So again, the power here is in protocol inconsistency fraud detection.Once things are all "compliant" then the other things comes into play,because there is really not much more DKIM/SSP can do from this point.

This is where other layers may come into play, including reputationideas and anything else. I never argued against reputation. I just feltthat one group was trying to based DKIM/SSP on it only and not evengiven the SSP concept a chance. Unfortunately, the entire process hasbeen commandeered in what appears to be a strategic goal to simply waterit down to a level of total uselessness.

So to me the idea of an Evaluator would be first a fundamental protocolconsistency Evaluator that would be part of the DKIM/SSP frameworkacross all supportive/compliant systems. It would be 100% independentfrom any subjective or heuristics or reputation analysis or any onegroup detecting their questionable inherent policies or implementationsmethods.

It really has nothing to do with good guys vs bad guys because as weknow, bad guys too can exhibit compliant behavior. But that is we wanthere - we want to make sure everyone (bad and good) are all playing inthe same field of following the basic fundamental protocol. Just likewe expect with other any standard client/server communications protocol.

We want this model because if we can't expect compliance with the GOOD,than we can't expect it from the BAD, and if we allow DKIM/SSP to becomethis, we would be back to square one of relaxed SMTP legacy transactionswhere receivers lack enforcement and know hows but more importantly hasno new information to rely on beyond the normal level of operations toconsider.

DKIM/SSP changes all that, this is what lead me to technology and I ofthe belief this will be a major benefit for the SMTP industry.

But this is only going to work with a standard protocol "out of the box"all must follow if they wish to implement it. I think this is allseparate from having extra evaluators (i.e, reputations, spam-assassin,etc). If we start with standard relaxed higher level system, then wewill have lost an unique opportunity we haven't had in SMTP.


Thanks


--
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

Eric Allman wrote:

Hector,
Some of what you say is correct, but other descriptions of changes inSSP-02 don't match what we were trying to do. It may well be that wedidn't get the wording right yet.
First, a confession: most of the major changes in -02 are my doing. Inparticular, I think I pushed some things onto Jim that went further thanhe had wanted. I think it's unfair to ask Jim to defend things that arebasically my own responsibility. I particularly apologize because Iwent in for major surgery just about the time this was hitting the fan,and I'm not yet fully functioning.
There's a certain philosophical difference between folks on this list.Some want SSP to be extremely specific. Others have gone on at lengththat the SSP spec has no right or authority to impose its own will onreceivers. I have sympathies for both positions, but I have to agreethat there is no chance that we can successfully dictate how receiversoperate. I've said publicly many times that receivers will simplyignore the specs if it makes their lives better --- as we see today withintentional violations of RFC 2822. SSP-02 is an attempt to pare SSPdown to appeal to the second set. Yes, that weakens SSP, but that seemsinevitable at this point. In particular, I'm concerned that withoutgiving receivers any guidance on how certain situations should behandled we'll end up in a fairly chaotic state. However, I do agreethat such guidance should probably go in a non-standards-track document.
A few specific points from your message:
--On February 6, 2008 1:46:58 AM -0500 Hector Santos<hsantos(_at_)santronics(_dot_)com> wrote:
[...]
With SSP-02/ASP, we lost the powerful SSP-01 DKIM=ALL protection
against 3rd party fraud.
Speaking about SSP-02, I'm not sure how you see we've lost that"protection". In -01, DKIM=ALL specifically allowed 3PS (Third-PartySignatures), so arguably it was weaker before. Under SSP-02, a receivercould decide that 3PS should be treated more harshly (where "moreharshly" doesn't necessarily mean "discard" --- it could just mean docontent scanning on the message).
We did remove all discussion of 3PS. The extended list discussionaround them made it clear that we just don't have enough operationalknowledge at this time to understand how they should work. As such, weare now leaving all interpretation of 3rd party signatures up to thereceiver. That doesn't mean we've necessarily lost the ability tohandle 3PS in a distinct way, but it will have to go into anotherdocument, at least for now.
The NEVER concept can still be covered using DKIM=DISCARDABLE and a
NULL DKIM public key.

The EXCLUSIVE concept can still be covered using DKIM=DISCARDABLE.
Except that DISCARDABLE doesn't prohibit 3PS. It doesn't even say thatmessages without any signatures MUST or even SHOULD be discarded. Allit says is how the purported author domain views the messages that itsends out. The furthest it goes is to say that the purported AuthorDomain "encourages the recipient(s) to discard it."
But anything related to 3rd party signers was completely eliminated
in SSP-02/ASP.  Even though SSP-02 DKIM=ALL is a "always sign for
1st party authors" concept, it is basically a DKIM=DISCARDABLE
without semantics on REJECTION.  DKIM=DISCARDABLE failures is
explicit with the REJECTION control.  DKIM=ALL failures are not.
SSP-02 DKIM=ALL is not a "always sign for 1st party authors" concept. Itdoesn't even mention first parties, any more than it mentions 3rdparties. All it says is "when the message left my control, I had signedit." It says absolutely nothing about how the receiver should handlethe message.
Similarly, and as noted above, DKIM=DISCARDABLE makes no normativeassertions about what the receiver should do with the message. It isimpossible to say anything about when the receiver should rejectmessages without stepping into the forbidden territory of forcing acertain behavior on the receiver.
In short, DKIM=ALL is the SPF version of SOFTFAIL where you can
record it, but you do not take any REJECTION action on it.  Just
like SPF.
There's nothing that prevents the recipient from rejecting messagesunder a DKIM=ALL condition. In fact (if we did it as intended) there isno normative language anywhere in SSP-02 about how the receiver shouldprocess messages, be they signed, unsigned, or 3PS.
[...]
But that is not the case with DKIM.  Here we have 100% detectable
fraud capabilities that is unrelated to legitimate multiple hope IP
issues and ASP is mandating a flawed inherent policy that RECEIVERS
should ignore certain kinds of obvious fraudulent messages.
I'm not speaking to ASP, but SSP-02 makes (or is intended to make) NOnormative restrictions on when the receiver should accept or reject anymessages.
Another addition to SSP-02 was the concept of the Evaluator. This wasadded purely to try to make it clear that SSP is merely one input intothe decision process. The Evaluator decides whether to reject amessage, quarantine it, do additional content scanning on it, accept itwithout further scanning, redirect it to the FBI, post it on USENET, oranything else it cares to do. My hope was that creating an explicitentity that makes the decision and clearly declare it out of scope wewould clarify the limits of SSP.
It is my sincere hope that we will quickly gain enough experience thatnew documents can be produced providing further guidance (notrequirements) for how the Evaluator should interpret SSP for broadestinteroperability.
eric




_______________________________________________

NOTE WELL: This list operates according tohttp://mipassoc.org/dkim/ietf-list-rules.html