ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Modified Introduction text forrfc4871-errata (resend)

2009-06-18 20:47:50
Douglas Otis wrote:

On Jun 18, 2009, at 11:18 AM, hector wrote:

This is why I as seeking an answer to why just d= and not anything  
else.  What it for a reputation system?

The response from a closed group of large email providers regarding  
how they would like to have their reputation handled was to have their  
entire domain's messages receive the _same_ reputation.  This is not  
surprising.  


Right. Glad to hear it is consortium or group and not just one. It 
will help centralize it. Buts it still is a "Batteries Required" 
problem for the general across the board adoption of DKIM.  If its an 
open service system (free "basic service" signup model if offered, 
free client lookups), then the problem is lessen.

Treating all of their messages en mass makes it  
impractical to isolate abusive accounts or to retain delivery  
integrity.  :^(


This is why I was so adamant about having a policy system that wide 
adoption of DKIM receivers can use as a default defense.  Not everyone 
has to be signers. The migration path might be that most will become 
DKIM verifiers first, then their domain signing strategy is worked out.

This is also why they wish to ignore DKIM's potential for replay  
abuse.  


Looking for the golden (DKIM) needles in the (abuse) haystack. :)

DKIM suffers the problems found with any cryptographic  
solution that can be replayed.  Once all of the domain's signatures  
are white-listed as suggested, this will invite massive levels of abuse.


I am not so concern about replays as is my overall two concerns:

1) Obvious DKIM faults, spoofs direct or indirect (bad guy has your 
domain in his list and is DKIM ignorant) are not protected when they 
are so easy to detect using basic DKIM signing policies.

2) The levels of faults (abuse) will overwhelm the fewer good finds, 
enough such that low to mid size receivers will turn off the 
processing. When the payoff::efficiency ratio begins to be so low, 
DKIM begins to become ignored.

Bad guys can use this form of DKIM DoS strategy as did the Sorbig Dual 
Blitz attack which help jump start the IETF email security efforts. It 
was the final straw for many.  SorBig first blasted systems with IP 
faults to forced system to shutdown popular RBL sites, then it blasted 
people with intentional accept/bounce attacks.

Whats odd, is the bad guys are probably laughing it up is the best 
thing to circumstance DKIM is to now try to use it - ignore it, keep 
with Legacy operations. Don't raise any flags.  But if they wanted to 
spoof DKIM domains, all they need to is blast enough systems to seek 
out DKIM receivers who don't subscribe to the Centralized Consortium 
Reputation Service.

What irks me the most is the lost time and opportunity to have a major 
impact on the spoof and domain abuse problem across the board, for all 
sizes of people. Not just my large customers but all my customers. 
What the large companies need to realize that the little systems can 
really help them too.  So it is to their benefits that all systems, 
from small to large on the public Port 25 SMTP network can use policy 
or a reputation system.

We could of have both Reputation and Policy as powerful assessors to 
DKIM-BASE completely by now. But it was the reputation people who 
didn't want Policy.  The policy people has always said that reputation 
is also important part of the picture. I even felt Reputation should 
have been part of the charter so that people can be open about it, and 
work out all the issues. They didn't have to worry about blatant 
charter ignorance and didn't have to play games with word smithing.

Just consider in the Draft DKIM Overview up to revision 05:

     http://tools.ietf.org/html/draft-ietf-dkim-overview-05.txt

it directly said:

    2.3.  Filtering

    ...

    Unless a scheme can correlate the DKIM signature with accreditation
    or reputation data, the presence of a DKIM signature SHOULD be
    ignored.

I know I posted concerns about that. Don't recall if others publicly 
posting concerns, but this has been remove since revision 06 with a 
complete rewrite of the DKIM overview draft.

Quite frankly, at this point, it should really be added back in. It 
will give domains a better idea, as the above statement implies, that 
DKIM-BASE is worthless without without being part of some reputation 
scheme  We should not denied them this guidance.

    Unless a scheme can correlate the DKIM signature with
    accreditation or reputation data, or ADSP policy or some
    other assessor scheme, the presence of a DKIM signature SHOULD
    be ignored.

Honestly, I really think this is GOOD (and ethical) advice now.

--

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>