ietf-dkim
[Top] [All Lists]

RE: [ietf-dkim] draft-ietf-dkim-ssp-02.txt Discardable/Exclusive

2008-02-08 18:09:28
 

-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org 
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Wietse Venema
Sent: Friday, February 08, 2008 6:37 PM
To: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] draft-ietf-dkim-ssp-02.txt 
Discardable/Exclusive

MH Michael Hammer (5304):
If a domain chooses to sign DKIM with respect to a From field email 
address that purports to be from that domain and that domain has the 
ability to make an assertion (of any sort) through SSP with 
regard to 
it's practices:

Is the potential benefit afforded a receiver by checking that SSP 
assertion AND taking whatever (unspecified) action worth the 
effort of 
doing so? If receivers are likely to have little or no 
benefit/interest in checking SSP then the rest of the 
discussion is moot.

In other words, is the juice worth the squeeze?

Spammers can use DKIM and SSP too. Therefore and the juice is 
not worth the squeeze unless the receiver actually knows the domain.
Perfect DKIM+SSP by a total stranger is relatively meaningless.


I'm asking in terms of the overall implementation. In a world where all
domains are strangers the juice is definately not worth the squeeze.
That is the chicken and egg of kickstarting adoption. 

Is the same true where half (or pick a percentage of your choice)the
domains are strangers? At what point do the benefits of checking
outweigh the costs of checking?

But we've already visted that station many times in the past.

      Wietse

While it may be absolutely correct with no context - relatively
meaningless at a micro level until behavior starts to be examined and
matched to that signature. At a macro level it may be that receivers
assign a reputation of newly signing domains based on general experience
with the class (or segments based on type of mail received from that
class) newly signing domains. It may be that DKIM+SSP will be matched to
previous mail flows by IP address or other characteristics associated
with a sender. Until DKIM+SSP is in the wild it is hard to say how that
will play out.

If we are trying to use DKIM+SSP to directly identify "bad" then I'm not
sure how useful it will be. There are plenty of ways for bad actors to
act bad. On the other hand, if DKIM+SSP allows some determination of
"good reputation" (tied to behavior of that signing domain) - even if
over time - then it may be useful in some cases. If that then enables a
comparison of the two (where bad is purporting to be the good actor
within certain parameters)it may be useful in other cases.

It will certainly be interesting to see what happens when DKIM+SSP "good
reputation" turns to "bad", especially when it involves subversion of a
domains own security processes. Much talk of how reputation is gained
but little of it's loss. How sticky will good reputation based on
DKIM+SSP or other metrics be?

Without SSP, how (or even why) will receivers choose to take advantage
of DKIM? I'm not talking a handful of domains, I'm talking more general
adoption by receivers. If potential 1st party or 3rd party legitimate
signers (not the bad guys) don't have some expectation as to how
receivers will interpret and act on their signing, how strong an
incentive do they have to begin signing? I'm also assuming that their
expectation has to be a positive outcome or they have a disincentive to
sign.

It's a given that spammers will try to use/abuse DKIM and DKIM+SSP to
cloak themselves with. It's the nature of the beast. This ties into
other issues surrounding mail,domain host compromise and other abuse. I
fully realize that even if DKIM+SSP can afford protection for certain
things it doesn't protect from all bad things. That's another given. 

My understanding with regard to DKIM and other authentication approaches
is that the goal is to stake out defined areas and practices which can
identify/protect legitimate (even if limited or only after reputation is
built) mail and hopefully drive out bad actors from those areas. 

So if it isn't 3PS (01) and it isn't ASP (02) then what is it that is to
be identified/protected by SSP?

There are at least three large receivers that are checking DKIM and
assigning pass/fail to those signatures, even if they may not currently
be taking action on those determinations . I have to assume that there
is a perceived potential benefit on their part to checking for
signatures as well as checking of signatures. 

Is DKIM checking sufficient in itself without SSP? How might DKIM-SSP
help receivers (the 3 aforementioned as well as others) leverage their
evaluation of received email whether signed (valid or not) or unsigned?

Mike

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>