On Aug 6, 2006, at 1:33 AM, Hector Santos wrote:
----- Original Message -----
From: "Dave Crocker" <[EMAIL PROTECTED]>
To: <ietf-dkim@mipassoc.org>
The two that I vote for are:
1. I sign everything.
2. I send no mail.
Dave, these are ok, but please consider the implementations
considerations
that were already discussed in the old list and well as here.
Lets assume these are it. How do implement it?
Lets use an email example:
From: abc.com
DKIM-Signature: d=xyz.com
In order to satisfy the checks, my verifier needs to a DNS SSP lookup.
If the policy said "I send no mail", then is strong evidence that this
message is unauthorized and unacceptable. Agreed?
If the policy said "I sign everything", then the existence of the
DKIM-Signature is checked. If it was missing, then is strong
evidence that
this message is unauthorized and unacceptable. Agreed?
But it does exist, so you have two security questions here:
- Was a signature expected?
- Was a 3rd party signature expected?
Rephrase:
Is this a designated signing domain?
Do non-designated domains carry messages on behalf of this domain?
Non-designated domains carrying messages on behalf of a domain might
be a mailing-list, an e-invite, a news article, an auction bid, etc.
Although a domain may indicate that they have designated domains that
sign all their messages, other non-designated services may not.
Whether these other non-designated services are being used could be
stipulated in the policy as perhaps representing an open/closed list.
Lets handle the first question first - "Was a signature expected?"
It is quite conceivable that during the migration period, many
systems will
implement an DKIM verifier first before completely the DKIM signing
component. During this phase, it would not be signing message, so no
message is expected to be sign.
Understandibly, some people said that checking the KEY will fail so
this is
basically the same "I never sign mail."
"I never sign" introduces a state tested against an invalid signature
where not finding a key for a DKIM signature should be fairly
suspicious by itself. "No mail sent" provides a clear disposition
for an invalid signature. One would have to wonder about the
motivation for making a "I never sign" assertion and how many would
bother with it.
But is not a 2nd DNS lookup. By simply adding policy "I never sign
mail",
then the 1st SSP lookup would satisfy this requirement in an
efficient and
optimal manner.
This seems to suggest that looking for policy precedes verification.
Policy may or may not exist and may require several transactions.
DNS transactions take awhile. The reason for questioning this, is
that an open empty list should be defined as maybe signs as would be
applied to any non-designated domain that might carry mail for the
From domain. I doubt that many bad actors will attempt to spoof
signatures without also knowing where a key exists within the domain
to obtain a modicum of credibility.
There could be other reasons why one may not want his mail signed
beside
migrations, but migrations, to me, seems to be a good reason, in
fact, I can
see us completing the DKIM verifier first before we get into the
signing
part. So I see this as a reasonable and practical situation.
Now, the more complex issue is the second question "Was a 3rd party
signature expected?"
I believe this is where the major source of contention in
simplifying the
policies vs. enhancing the security of the system.
But consider this: During the 1st SSP lookup, if there was a
policy "Only I
sign mail", then we immediately resolve this condition with additional
overhead or change in logic. The verifier simply sees the
d=xyz.com and it
will immediately now this is not a desirable condition expected by the
domain. 1 DNS lookup is all that was required.
So in opinion, there is sound technical reason to include:
"I never sign mail"
"Only I send mail"
Fine.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
