IETF Logo Mail Archive

Re: [ietf-dkim] punting into near-term standardization

"Hector Santos" <hsantos@santronics.com> Sun, 06 August 2006 08:40 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G9eAz-0000TC-Oj for ietf-dkim-archive@lists.ietf.org; Sun, 06 Aug 2006 04:40:01 -0400
Received: from sb7.songbird.com ([208.184.79.137]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G9eAy-0002Xd-8y for ietf-dkim-archive@lists.ietf.org; Sun, 06 Aug 2006 04:40:01 -0400
Received: from sb7.songbird.com (sb7.songbird.com [127.0.0.1]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id k768ZUb4013765; Sun, 6 Aug 2006 01:35:30 -0700
Received: from winserver.com (catinthebox.net [208.247.131.9]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id k768ZJFY013738 for <ietf-dkim@mipassoc.org>; Sun, 6 Aug 2006 01:35:19 -0700
Received: by winserver.com (Wildcat! SMTP Router v6.1.451.8) for ietf-dkim@mipassoc.org; Sun, 06 Aug 2006 04:37:25 -0400
Received: from hdev1 ([72.144.82.177]) by winserver.com (Wildcat! SMTP v6.1.451.8) with ESMTP id 1607228688; Sun, 06 Aug 2006 04:37:23 -0400
Message-ID: <02d201c6b933$0ae07270$0201a8c0@hdev1>
From: Hector Santos <hsantos@santronics.com>
To: dcrocker@bbiw.net, ietf-dkim@mipassoc.org
References: <20060805034058.861.qmail@simone.iecc.com> <44D421F2.20705@dcrocker.net>
Subject: Re: [ietf-dkim] punting into near-term standardization
Date: Sun, 06 Aug 2006 04:33:24 -0400
Organization: Santronics Software, Inc.
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Songbird: Clean, Clean
Cc:
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org
X-SongbirdInformation: support@songbird.com for more information
X-Songbird-From: ietf-dkim-bounces@mipassoc.org
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 287c806b254c6353fcb09ee0e53bbc5e

----- Original Message -----
From: "Dave Crocker" <dhc@dcrocker.net>
To: <ietf-dkim@mipassoc.org>

>
> The two that I vote for are:
>
> 1. I sign everything.
> 2. I send no mail.

Dave, these are ok, but please consider the implementations considerations
that were already discussed in the old list and well as here.

Lets assume these are it.  How do implement it?

Lets use an email example:

   From: abc.com
   DKIM-Signature: d=xyz.com

In order to satisfy the checks, my verifier needs to a DNS SSP lookup.

If the policy said "I send no mail", then is strong evidence that this
message is unauthorized and unacceptable.  Agreed?

If the policy said "I sign everything", then the existence of the
DKIM-Signature is checked.  If it was missing, then is strong evidence that
this message is unauthorized and unacceptable.  Agreed?

But it does exist, so you have two security questions here:

    - Was a signature expected?
    - Was a 3rd party signature expected?

Lets handle the first question first - "Was a signature expected?"

It is quite conceivable that during the migration period, many systems will
implement an DKIM verifier first before completely the DKIM signing
component.  During this phase, it would not be signing message, so no
message is expected to be sign.

Understandibly, some people said that checking the KEY will fail so this is
basically the same "I never sign mail."

But is not a 2nd DNS lookup. By simply adding policy "I never sign mail",
then the 1st SSP lookup would satisfy this requirement in an efficient and
optimal manner.

There could be other reasons why one may not want his mail signed beside
migrations, but migrations, to me, seems to be a good reason, in fact, I can
see us completing the DKIM verifier first before we get into the signing
part.  So I see this as a reasonable and practical situation.

Now, the more complex issue is the second question "Was a 3rd party
signature expected?"

I believe this is where the major source of contention in simplifying the
policies vs. enhancing the security of the system.

But consider this:  During the 1st SSP lookup, if there was a policy "Only I
sign mail", then we immediately resolve this condition with additional
overhead or change in logic.   The verifier simply sees the d=xyz.com and it
will immediately now this is not a desirable condition expected by the
domain.  1 DNS lookup is all that was required.

So in opinion, there is sound technical reason to include:

    "I never sign mail"
    "Only I send mail"

I hope this make sense and I hope you take the time to review my comments
here and see it from a software implementation standpoint.

I just want to add that my #1 goal is to optimize rejection with 100% True
Negatives at the transport level by eliminating the most obvious failure
conditions that can occur.

All the rest will be passed to other MFA (Mail Filter Agents) including
Reputation Systems.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com























_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email