Stephen Farrell wrote: > > Doug, > > Thanks again for trying to be brief. I think it did make you > easier to understand. > >> Terminology: >> The terms "open-ended" and "closed" authorization are defined as: >> >> A basic function of email authorization referenced by way of an >> identity is to influence the acceptance or rejection of a >> message. >> The term "closed" indicates acceptance is based upon the identity >> being found within a defined set of identifiers. When acceptance >> does not require that the identity be contained within a defined >> set, this is described as open-ended authorization. This >> definition is not altered by the rating of messages once they are >> accepted. > > > I don't think the term authorization is being properly applied > there. To me at least authorization is what's happening when > a policy enforcement point uses a policy decision point to get > a yes/no answer about some requested action.
I agree with Stephen; my disagreements over the use of the term "authorization" for this are: Let's compare DKIM without SSP with DKIM+SSP. DKIM-base makes a positive statement about messages that are signed. Not that they're "good" messages, but that the signing domain actually signed them. If the signature address matches some other header in the message, it's claiming that it had that role -- sender, resender or "from" (presumably the originator of the message). SSP adds the ability to provide some advice on what to do about unsigned messages. It doesn't authorize anything -- depending on the policy, it may determine that certain messages are "suspicious". It never makes a positive assertion. A "signs some" policy is the same as not having SSP at all; the other policies are more restrictive. The threats here go something like this: 1. Attacker finds a domain that publishes a "signs some" policy (or doesn't publish a policy at all, since this is the default, currently at least). Attacker spoofs these addresses, since it isn't possible for the recipient to know whether they should have been signed. This attack exists whether or not SSP exists. 2. Attacker finds a domain that publishes a "-" policy (allows signatures from other domains). Attacker registers a disposable domain and signs messages "from" the found domain using the disposable domain. Attacker may even add headers pretending that the disposable domain is a mailing list or similar role. The messages will appear to be legitimate to the verifier, unless the verifier uses a reputation system (either local or shared) to determine that the signing domain does this sort of thing. 3. Attacker registers a bunch of domains to do attack #2. This is more of an attack on the reputation system than on DKIM itself. So, to summarize, SSP only makes negative assertions: it calls certain messages "suspicious". Calling it an authorization system distorts its role. -Jim _______________________________________________ ietf-dkim mailing list http://dkim.org
