Douglas Otis wrote:
On Aug 22, 2005, at 11:02 AM, Scott Kitterman wrote:
So to narrow my previous attempt at a summary, you think that
domain-wide assertions cannot be accurately made for mail addresses,
but that it can for HELO/EHLO?
Accuracy is not the issue. While a domain-wide assertion may
accurately issue requirements, the value of the assertion should be
assessed against intended goals. Part of that assessment should
include whether a goal is reasonably achieved, and weighed against
administrative complexity and a potential for inordinate use of DNS.
An assertion that HELO must verify with a CSA record where the same CSA
record makes the assertion, achieves the goal of assured verification
with low administrative complexity and low use of DNS.
It would seem to me then that effictiveness and usefulness of domain
wide sender policy assertions is a matter for proper design. I think
that saying that something must be well designed is not a reason to put
it out of scope for the working group's initial efforts.
Binding a mailbox-address or mailbox-domain to a domain signature is
not a goal, it is a mechanism. What is the intended goal? What is the
selection process? What level of administrative effort will this
entail? What level of DNS interaction is required?
Good design questions for the group to work on once it's chartered.
Such a domain-wide assertion could inhibit a zombie system from
purporting to offer valid signatures when signing for other domains.
It could also inhibit a zombie system from sending without a
signature. What has been excluded? A goal of preventing unauthorized
sending of email is accomplished with low administrative complexity and
low use of DNS.
Yes. An excellent reason to include such work in the charter.
In the same manner many use self-signed keys when accessing servers
using SSH, the same type of local manual binding is possible once there
is a domain signature. Should specific communications be important to
the recipient where they wish to be alerted to _possible_ spoofing of
these individuals or roles, perhaps the MUA could offer a button to
remember the mailbox-address/signing domain/ opaque-identifier
bindings. Any other message using that same mailbox-address that does
not include this binding would cause a warning. While this approach is
not iron-clad, it could help eliminate many of the common exploits.
Often the recipient knows by other means whether this is a valid
message to permit such initial assessments.
So you think that such a relationship can be established, at least in
part, but that it's not suitable to put it in DNS?
I have yet to hear your explanation how abuse can be determined in
advance.
I will say again that I don't think that's the point. The point is to
detect forgery. Whilst strictly speaking operating outside the domain
owner's stated sender policy isn't necessary exactly congruent with
forgery, I'll take that as close enough.
And that it will be up to users to determine the relationship
between the signing domain and the e-mail addresses and evaluate the
legitimacy of the message?
When DKIM becomes widely deployed (which assumes stumbling blocks were
not created), then simple features such as single click recording of
typical mailbox-address/signing-domain/opaque-identifier bindings would
make establishing a strong relationship a rather painless task. It
would also instill confidence without making email more complex to use
or entail a major portion of the Earth's available ram to support DNS.
It sounds to me like that's a long way of saying yes to my question. Is
that right?
Scott Kitterman
_______________________________________________
ietf-dkim mailing list
http://dkim.org
