On Fri, Nov 4, 2022 at 4:18 AM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote:
> Maybe the problem is that John has trademarked "weak" to mean "L=0", so I > will use "poorly constructed". DKIM "works" because malicious actors have > found easier ways to attack than using an intermediary MTA to alter a > message without breaking the signature. This may not always be the case, > and signature construction practices lack consistency, making many of them > vulnerable if mischief occurs. Nonetheless, well-constructed > signatures are a guidance issue, so I have no problem with putting it in a > guidance document, as long as one is actually written. > I'm actually trying to remember what "weak" was supposed to mean. It could refer to a number of different things, anything from not following DKIM's signing recommendations to unacceptably small keys to "l=0". We probably should be specific, or stop using it. But right now, we are not moving toward the goal because the players have > left the field. The questions before the group are: > > - Do non-aligned signatures provide any benefit to domain owners? > I suggest that the answer is "maybe". DKIM only really tells you something when the signature passes; at that point you can conclude that the message definitely either came from or passed through whatever domain generated the signature. A failing signature tells you nothing, given the myriad ways a perfectly valid signature on a properly handled message can still be invalidated. A receiver can thus make decisions based on the (possibly empty) set of domains for which passing signatures were present on a message. Imagine for a moment the existence of a globally accepted spam filtering service; a passing signature from that operator might compel a receiver to increase its regard for such a message. Or maybe I host my domain at some highly reputable mailbox provider, or engage a commercial bulk emailing service. A receiver might see a valid signature from my domain on there as well as one from the service, and develop filtering decisions based on that combination. One of those domains is not aligned, yet possibly valuable. - If those benefits exist, do they add sufficient value to justify the > burden on thousands of evaluators to perform extra work on many millions of > incoming messages? > Again, "maybe". Operators are free to make their own filtering choices. I built an open source reputation system based on DKIM some years ago, and it was somewhat effective. This pre-dated DMARC; all it cared about was the perceived reputation of whoever signed the message (for valid signatures), and then it made filtering decisions based on the data it had collected to that point. That suggests to me that the concept we're discussing here isn't something DMARC should be trying to tackle. At most, I suggest saying DMARC verifiers should be aware that whatever their DKIM verifiers pass them (via A-R or other means) is what they get; if the DKIM verifier is not sufficiently specific in what it considers satisfactory, pick a different verifier. I would also recommend reviewing Section 5.4 (and in particular 5.4.1) of the DKIM RFC, as it talks about which header fields are important to cover in the signature. Any signature that doesn't cover that starts to become "weak" in that it's possible to alter some of the content or intent of the message without invalidating the signature. It also talks about which things one ought not include for fear of spurious invalidation. > Some members believe that unaligned signature information might be useful > to somebody sometime. Unfortunately, no one has been able or willing to > document a scenario where any such benefit has been obtained by any domain > owner at any time. The silence is awkward. > > Perhaps these nonaligned signatures are an unnecessary burden on both > evaluators and domain owners. > > Can someone defend the status quo? If not, can we have consensus to > change it? > How'd I do? :-) -MSK, participating
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
