On Thu 17/Aug/2023 18:21:35 +0200 Murray S. Kucherawy wrote:
On Thu, Aug 17, 2023 at 3:30 AM Alessandro Vesely <ves...@tana.it> wrote:
I'm not convinced advice is necessary here. Do you really need signs in
banks that say "Don't put your signature on random financial documents"? I
have to believe that people understand what it means to sign something, and
why they shouldn't do that.
Well, when banks don't do that, they're in bad faith. Consider, for
example, derivative financial contracts conceived so that nobody is able
to read them —banks don't even try to print them. Decadent practices. >
I don't know what you mean by "decadent", here or below.
I disagree about the "bad faith" claim. I think everyone with their own
agency understands what it means to affix their signature to something.
It's on them to understand that fully, or assume the risks of not being
diligent.
When a customer who is dedicating (part of) an afternoon to banking has to
/fully understand/ a 600 page agreement, the only choice he has is to assume
the risk and blindly trust the bank. You may disagree that that is bad faith.
It's the kind of thing I'd call decadent.
In the case of high volume operations like scanning email, the scale forces
you to play the odds that your inbound filtering gets it right a high
enough percentage of the time that you're able to cope somehow with the
things that slip through.
Yeah, here too you are forced to take the risk. Domains who trust their users
have easier options.
Domains cannot "read" the messages they sign. Some MPs may have wonderful
anti-spam filters, but that's still not the same as reading and signing an
agreement. We need to dismantle the agreement metaphor a bit.
The logical extension of this line of thinking is that message
authentication isn't meaningful. Is that where you're going with this?
No, the opposite. Message authentication allows a system to vet messages
without understanding their content, if it trusts the authenticated entities.
On the other hand, there are domains which blindly sign anything their
users write, enacting only minimal limits to prevent abuse in case of
compromised credentials. They can afford doing so because, for example,
users are employees and are known in person. Do such domains experience
replay attacks? >
Likely. So?
If corporate domains are victims of replay attacks at the same rate as free
mail providers, then my theory is wrong. See below.
What I'm trying to address is the relationship between users and mailbox
providers. Free MPs want anyone to be able to create a free account, and
that was at the root of their success. When domain authentication
arrived, they considered that /all/ messages from their domain must be
authenticated. DMARC reporting is specifically aimed at such goal.
For something that signs at a domain level, why is this something with
which we should concern ourselves?
Domains sign messages so that receivers can be sure about the origin. The
reputation a domain earns is then related to the amount of spam. Trusted
users, such as employees using a corporate domain, don't spam. Therefore, spam
emitted by such domain is proportional to the likelihood that its accounts get
compromised. My theory is that free mail providers and ESPs offering free
trials host bad users whose purpose is to spam, either through replay or other
kind of attacks. This would result an an increased amount of reply attacks at
such domains.
That's what I gathered from the I-D and this list's posts. I repeatedly asked
to narrate some real cases, but didn't hear any. So I may be wrong.
The arms race you refer is the result of indiscriminately accepting all
users. A small percentage of them are bad actors, but cannot be
identified because, in general, the real IDs of users is not ascertained.
At what point does claiming responsibility for non-ascertained entities
results in decadent practices? >
Again, I don't know what this means.
By decadent I mean a practice of signing while the value of verified signatures
gradually declines. Signing for any Tom, Dick and Harry becomes just noise.
There is no equivalence between authenticating subscribers and scanning
what they write. Both tasks need human intelligence, but the former
doesn't have to be done on each message. Scanning w/o intelligence is
only heuristic and relies heavily on volume limits, which is where replay
attacks get away with it. >
...and this is entirely an internal matter. Are you arguing that this
deserves protocol-level consideration?
If the above theory is correct, a "potential solution" could be added to the
I-D with considerations about varying signature ranks for domains with mixed
users types.
If you're going to assert that Gmail should authenticate their users before
allowing them to send stuff that will be signed, then I'm pretty sure they
do that already.
I think they know much more about their users than what they express with the
signatures they put on messages. Anyway, they don't get the real IDs of users.
Thank you for following up
Ale
--
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim