Re: [ietf-dkim] Tracing SSP's paradigm change

[Jim Fenton <fenton@cisco.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have been avoiding this thread, because it does not apply to a
particular issue, but it seems to go on and on...

Jon Callas wrote:
> It's been hard over the last few days to keep pace with all of the
>  messages here, so my comments are on the basic notion that Dave
> had brought up.
>
> I agree wholeheartedly with his basic premise, that SSP started off
>  being modest, and has grown into the experimental and
> encompassing. I also agree that this isn't good.

What is the modest SSP that everyone speaks of?  The first SSP draft
that I know of is draft-allman-dkim-ssp-00, dated July 9, 2005, prior
to the chartering of the DKIM Working Group. It contains the
"unknown", "all", and "strict" policies (although they were known as
~, -, and ! respectively), as well as a "no mail" policy.  It not only
checks the local-part of the email address, it has a provision that
allows sender signing policy (as it was known then) to be expressed at
the user level.  It searches up 5 levels of hierarchy to protect
against sub-sub-sub-domain attacks.  It includes a reporting address
and a testing flag.

The only substantial thing that has been added is the handling tag.

In so many ways, SSP is much more modest now than before.

>
> So I'm going to pull back and describe how I think we got here.
>
> Back in the days of DKIM-base, we started with considering what
> happens with broken signatures. We also believed that it would be
> not uncommon for a legitimate message to get its signature broken
> in flight.
>
> When you consider what the receiver is supposed to do with a broken
>  signature, the first suggestion is, "Well, do what you did before
>  DKIM." This is legitimate, if unsatisfying. It is more
> unsatisfying the more that signatures can be expected to land
> unmolested.

By "do what you did before DKIM", I gather you mean that you consider
the signature not to exist.  If broken signatures are treated any
better than non-existing signatures, this invites attackers to attach
invalid signatures to messages.
>
> Secondly, if you consider the senders for whom DKIM is most
> valuable -- big phishing targets -- they want the illegitimate
> message thrown away.
>
> This leads us to a nice confluence of events. The receiver has a
> message it isn't sure what to do with, and the sender can offer
> helpful advice. If the sender says, "I'd rather you threw away a
> good message than accept a bad one," then the receiver has a hint
> as to what to do with it. Don't bother trying to process it, just
> junk it.

This is the "handling" flag, which was just introduced in the latest
draft.

>
> Thus is born SSP, and thus is born the "I sign everything" policy.
>  This is non-controversial, we all think it's great. As a receiver,
> if I see a broken signature, do an SSP check and if it says "sign
> all" I can now just throw the message with the broken signature
> away.

No, that's not what the "I sign everything" policy says at all.  Since
the message doesn't have a valid signature, SSP says the message is
Suspicious.  The verifier can use that information however it pleases.
>
> However, next comes an addition to that. If we assume there are
> active bad guys, they'll just send their bad messages with no
> signature. Consequently, we can solve this by redefining a broken
>  signature to include messages with no signature. It doesn't take
> much of a stretch to consider no signature to be merely the most
> extreme form a broken signature. This way, we end up will all
> forged messages pretending to be from a signing domain to be
> dropped at the receiver.

Again, not dropped, unless you're talking about the handling tag.
>
> This is undeniably a Good Thing. I support it, myself. However, it
> is also precisely the place where SSP jumped the shark. All the
> further mission-creep of SSP comes from this one
> seemingly-innocuous, well- meaning change.
>
> This *radically* changes SSP in two fundamental ways:
>
> (1) It changes SSP from being a protocol that governs the error
> condition of an optional protocol to being a protocol that governs
>  *every* email received by *every* MTA.

Application of SSP to only messages containing broken signatures has
*never* been proposed in any SSP draft.  To do so would create an
incentive not to deploy DKIM:  there would be the fear that
application of a DKIM signature might hinder delivery of messages,
because of the potential for breakage that would not exist for
unsigned messages.
>
> (2) It changes SSP from being *guidance* that a sender gives to a
>  receiver to a *mandate* that the sender gives to the receiver.

Again, you are confusing the practices with the handling tag, and even
the handling tag isn't a mandate.
>
> The first one is troubling for a number of reasons. When we started
>  DKIM, we told the rest of the IETF that this was an optional
> protocol, you didn't have to use it, and so on. We also cooed
> softly at the people who worried about the increased DNS use,
> arguing many ways that this wouldn't dramatically increase the
> global load on DNS all that much.
>
> While this addition (SSP check on every message) is certainly a
> Good Thing, it means that we've gone back on our word to the rest
> of the IETF. I think it could be argued that that this violates the
> DKIM charter, in spirit, if not in the letter.

I'd like to know what part of the charter you think this violates.

So, let me get this right:  We allow domains to optionally publish a
policy (practice) that says "I sign everything" but we don't even
check that when we get something that isn't signed.  How can that
possibly be useful?

>
> The second one is much subtler. It's a principle of email sending
>  that the receiver can do whatever they want, no matter how stupid.
>  While it may be useful for the sender to offer hints and guidance
> to the receiver, the sender cannot mandate. While I don't know how,
> I see here the makings of an exploitable architectural flaw.

It's about as non-mandatory as I can think of making, other than
making it a non-normative implementation note (which of course I'll do
if the WG consensus says so).  Beyond that, we're in the "treat the
message (hint-hint, nudge-nudge) with prejudice" realm, which is more
dangerous than being more specific, as Scott Kitterman has noted about
SPF.

>
> I think we need to take a big step back from SSP. We need to
> seriously look at all policies other than the original "sign
> everything" policy and discuss them thoroughly. We need to
> seriously look at that one little change and discuss how it
> changed, as Dave said, the very *paradigm* of SSP.

I would like to know *when* it changed, and then I would have context
for *how* it changed.
>
> I offer as a suggestion that we issue an SSP document that
> describes only the basic broken-signature-only model of SSP with
> only the one policy (sign-all). After that, we look at enhancements
> to the model carefully. We seriously discuss whether they are
> outside the charter because of the effect it has on the global
> email infrastructure to turn DKIM from an opt-in protocol to a
> you-must protocol. We also seriously have to look at other policies
> to discuss their effectiveness along with their environmental
> effects.

SSP in no way turns DKIM from opt-in to you-must.   Domains that don't
publish SSP have their mail treated as non-Suspicious, regardless of
the presence or absence of signatures, which is the most favorable
category.

- -Jim

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHYN7VR3t0p2Nw35URAre9AJ0UPKHDid1Lzf9ejdSPxqSMvc810gCghCbV
9y2u6y3ylbEW2JJ3vFHGIks=
=WnMn
-----END PGP SIGNATURE-----
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html