Re: [ietf-dkim] punting into near-term standardization

[Douglas Otis <dotis@mail-abuse.org>]

On Aug 6, 2006, at 1:33 AM, Hector Santos wrote:

>
> ----- Original Message -----
> From: "Dave Crocker" <dhc@dcrocker.net>
> To: <ietf-dkim@mipassoc.org>
>
>>
>> The two that I vote for are:
>>
>> 1. I sign everything.
>> 2. I send no mail.
>
> Dave, these are ok, but please consider the implementations  
> considerations
> that were already discussed in the old list and well as here.
>
> Lets assume these are it.  How do implement it?
>
> Lets use an email example:
>
>    From: abc.com
>    DKIM-Signature: d=xyz.com
>
> In order to satisfy the checks, my verifier needs to a DNS SSP lookup.
>
> If the policy said "I send no mail", then is strong evidence that this
> message is unauthorized and unacceptable.  Agreed?
>
> If the policy said "I sign everything", then the existence of the
> DKIM-Signature is checked.  If it was missing, then is strong  
> evidence that
> this message is unauthorized and unacceptable.  Agreed?
>
> But it does exist, so you have two security questions here:
>
>     - Was a signature expected?
>     - Was a 3rd party signature expected?

Rephrase:
  Is this a designated signing domain?
  Do non-designated domains carry messages on behalf of this domain?

Non-designated domains carrying messages on behalf of a domain might  
be a mailing-list, an e-invite, a news article, an auction bid, etc.   
Although a domain may indicate that they have designated domains that  
sign all their messages, other non-designated services may not.   
Whether these other non-designated services are being used could be  
stipulated in the policy as perhaps representing an open/closed list.

> Lets handle the first question first - "Was a signature expected?"
>
> It is quite conceivable that during the migration period, many  
> systems will
> implement an DKIM verifier first before completely the DKIM signing
> component.  During this phase, it would not be signing message, so no
> message is expected to be sign.
>
> Understandibly, some people said that checking the KEY will fail so  
> this is
> basically the same "I never sign mail."

"I never sign" introduces a state tested against an invalid signature  
where not finding a key for a DKIM signature should be fairly  
suspicious by itself.  "No mail sent" provides a clear disposition  
for an invalid signature.  One would have to wonder about the  
motivation for making a "I never sign" assertion and how many would  
bother with it.

> But is not a 2nd DNS lookup. By simply adding policy "I never sign  
> mail",
> then the 1st SSP lookup would satisfy this requirement in an  
> efficient and
> optimal manner.

This seems to suggest that looking for policy precedes verification.   
Policy may or may not exist and may require several transactions.   
DNS transactions take awhile. The reason for questioning this, is  
that an open empty list should be defined as maybe signs as would be  
applied to any non-designated domain that might carry mail for the  
 From domain.  I doubt that many bad actors will attempt to spoof  
signatures without also knowing where a key exists within the domain  
to obtain a modicum of credibility.

> There could be other reasons why one may not want his mail signed  
> beside
> migrations, but migrations, to me, seems to be a good reason, in  
> fact, I can
> see us completing the DKIM verifier first before we get into the  
> signing
> part.  So I see this as a reasonable and practical situation.
>
> Now, the more complex issue is the second question "Was a 3rd party
> signature expected?"
>
> I believe this is where the major source of contention in  
> simplifying the
> policies vs. enhancing the security of the system.
>
> But consider this:  During the 1st SSP lookup, if there was a  
> policy "Only I
> sign mail", then we immediately resolve this condition with additional
> overhead or change in logic.   The verifier simply sees the  
> d=xyz.com and it
> will immediately now this is not a desirable condition expected by the
> domain.  1 DNS lookup is all that was required.
>
> So in opinion, there is sound technical reason to include:
>
>     "I never sign mail"
>     "Only I send mail"

Fine.

-Doug

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html