ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

How to protect DKIM signatures: Moving ADSP to Historic, supporting DMARC instead

2013-10-03 15:13:26
from [Hector Santos] [Permanent Link] 
On 10/3/2013 1:51 PM, Douglas Otis wrote:


Dear Hector,

Indeed, more should be said about underlying reasons.  The reason for abandoning ADSP is 
for the same reason few providers reject messages not authorized by SPF records ending in 
"-all" (FAIL).  Mailing-List software existed long before either of these 
strategies and domains using mailing lists need to be excluded from having DMARC policies 
(until a revised ATPS specification able to use normal signatures is published.)  The 
reason for moving toward DMARC is, although aligned policy is only suitable for domains 
limited to messages of a transactional nature, places where one authorization scheme 
fails can be mostly recovered by the other which greatly increases the chances of a 
domain's policy being applied in the desired fashion.
Whether its ADSP, DMARC or anything else, any DKIM resigner has to be aware of the consequences of blind signing. It can not operate in a vacuum as if all of the following documents did not exist: 

   RFC4686  Analysis of Threats Motivating DKIM
   RFC5016  Requirements for a DKIM Signing Practices Protocol
   RFC5585  DKIM Service Overview
   RFC5617  DKIM Author Domain Signing Practices (ADSP)
   RFC5863  DKIM Development, Deployment, and Operations
   RFC6377  DomainKeys Identified Mail (DKIM) and Mailing Lists
All of them describe a basic integrated concept of protecting the domain signature which is still a problem to be resolved today otherwise the payoff of the new DKIM "Internet Standard" is still Zilch, Nada, Nil.
So if the movement is now towards DMARC, are mailing list software going to support the policies exposed by DMARC restrictive domains?
We are not resolving the basic debate that was always with us. Stripping Policy from DKIM framework as a separate SSP, then further relaxing it and changing it to ADSP and now DMARC does not resolve the basic fundamental problem with securing DKIM signatures if middleware are not going to support the concept and continue with blind resigning.
Make ADSP historic and DKIM itself is at risk of finally falling into that wasted protocol project as well. Sure everyone is signing but also stripping and replacing everyone's signature, its value has been totally lost.
Go figure. I think the requester of this change ought to write a report explaining how making ADSP historic and adopting DMARC minimizes any impact and also helps keep DKIM as a viable mail signature concept to have. How the payoff is finally realized with DMARC rather an ADSP. 

--
HLS
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: WG Review: Extensions for Scalable DNS Service Discovery (dnssd), Jaap Akkerhuis
Next by Date:  Re: How to protect DKIM signatures: Moving ADSP to Historic, supporting DMARC instead, Barry Leiba
Previous by Thread:  Re: Last Call: Change the status of ADSP (RFC 5617) to Internet Standard, Douglas Otis
Next by Thread:  Re: How to protect DKIM signatures: Moving ADSP to Historic, supporting DMARC instead, Barry Leiba
Indexes:  [Date] [Thread] [Top] [All Lists]