ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] end-users vs filtering engines

2008-05-01 12:30:47
from [MH Michael Hammer (5304)] [Permanent Link] 
I sensed my name invoked and was compelled to join the melee.


-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org [mailto:ietf-dkim-
bounces(_at_)mipassoc(_dot_)org] On Behalf Of Al Iverson
Sent: Wednesday, April 30, 2008 8:15 PM
To: DKIM List
Subject: Re: [ietf-dkim] end-users vs filtering engines

On Wed, Apr 30, 2008 at 7:02 PM, Dave Crocker <dhc(_at_)dcrocker(_dot_)net>

wrote:



 While perhaps it closes off some particular names, it does not

close

off the

 class of attack at all.

 It is one thing to have a mechanisms that makes it incrementally

more

 difficult for an attacker to succeed. It is quite another to make

it no

harder

 at all.  If all the attacker has to do is register a new name and

use a

 string-replacement on their previous attack, we do not have any

meaningful

 added protections.


Dave, this actually reads as though you suggest we throw out ADSP all
together. I don't see how this limit doesn't apply to ADSP regardless
of tree walking functionality.


 >> So the question is what sort of mechanism is going to benefit

from

 >> locking sub-domains, but not cousin domains?  How is the benefit
 >> meaningful?
 >
 > I don't understand the question but I suspect it's a variant of

what's

 > already been asked and answered.  Is there something new here?

 Asked, yes.  Answered, I don't think so.


Well, I certainly proposed one potential scenario where sub domain
locking would be useful (to me, arguably not to you). Archives suggest
Michael Hammer would prefer sub domain locking, as have Jim Fenton's
comments. Perhaps they could theorize an example or two of where and
how this would be useful to them.



Cousin domains are orthogonal to the ADSP issue. 

Focusing on subdomains, I believe it may be useful for both senders and
checking receivers if a domain were to be able to assert whether it's
policy applies to all of it's subdomains. Given that we don't know how
receivers or reputation services might utilize such an assertion, I
would avoid must or should for a check at this stage.

My reasons for stating this is as follows:

1) In my estimation, ADSP is particularly useful for both senders and
receivers if it asserts that all mail is signed and/or discardable.
There is certainly some value if limited to only a specific
domain/subdomain but potentially greater value if an assertion can be
made that covers part or all of a tree. This allows a domain owner to
make a broader statement about it's practices.

2) The ability to make a policy assertion across the board from a base
domain may empower receivers and reputation services in their efforts to
identify "good" - as in conforms to signing policy - vs "bad" as in does
not match the domain owners stated policies through the mechanisms they
are empowered to express them through. ADSP is (or should be) a public
mechanism to extend and replace the private one-on-one
agreements/relationships that a handful of senders and receivers have
engaged in to fight (forged) spam and phishing prior to having a public
standard based option.

3) If such a policy assertion is included in ADSP then I have abiding
faith and confidence that there are those legitimate receivers and
reputation services that will take advantage of such an assertion. I
wouldn't even mandate any sort of tree walking, MX checks, NXDOMAIN
checks, etc on the receiver side with regard to such a policy assertion.
The assertion could be something as simple as a=y where "a" is all
subdomains sign and y is yes.

I want to emphasize that I am not currently at the point where the
domains I work with could make such a policy assertion but I am close
(maybe one exception per domain tree) and would strive to get there if I
were empowered through ADSP to make such an assertion.

What I would like to hear from software providers, receivers and
reputation folks is whether they would see a benefit from or take
advantage of such assertions by (particularly) large heavily phished
domains and other domains in general?

Ultimately, I'll implement whatever I can get from this ADSP process
whether narrowly scoped or more broadly scoped. As I see it we are
incrementally closing off specific spaces from specific types of abuse.
Nothing more and nothing less. For our website (brand) domains) we have
intentionally restricted the subdomains that we send email from. The
ability to assert signing for all subdomains in a tree makes it clear to
receivers that any subdomain in that tree should have a valid
signature....even subdomains that exist but are not necessarily used for
email currently. If need be we will publish an ADSP record for every
domain we use. 

Mike


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] ietf-dkim Digest, Vol 118, Issue 8, Murray S. Kucherawy
Next by Date:  Re: [ietf-dkim] subdomain strawpoll, J D Falk
Previous by Thread:  Re: [ietf-dkim] ietf-dkim Digest, Vol 118, Issue 8, Murray S. Kucherawy
Next by Thread:  Re: [ietf-dkim] end-users vs filtering engines, Wietse Venema
Indexes:  [Date] [Thread] [Top] [All Lists]