Re: [ietf-dkim] spam filtering 101

[Alessandro Vesely]

On 27/Jun/11 23:38, Michael Deutschmann wrote:
 
 * Put it in its own RFC *
 
 I think there's room for a Minimum Quality of Forgery Supression BCP.
 Such an RFC would outline a number of faults a message can have, and
 declare that any of those faults mean the message MUST NOT be delivered
 to the nominal recipient.

+1, revising RFC 2505, whose date is in last century, should be due.

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] Last Call: draft-ietf-dkim-rfc4871bis-12.txt (DomainKeys Identified Mail (DKIM) Signatures) to Draft Standard

[Rolf E. Sonneveld]

One final note from me, as I want to state my current position regarding 
4871bis, with respect to Last Call.

As the receiving verifier has all the information to _reliably_ [0] 
determine which combination(s) [1] of From [2] and DKIM-Signature 
verifies correctly, it has the means to provide any consuming 
application with the right information. The mechanism(s) by which the 
verification results can be communicated to a consumer (as per par. 6.2 
of 4871bis) can be chosen by the verifier and does not restrict the 
results to only TEMPFAIL, PERMFAIL and SUCCESS [3].

Second, today there is hardly any installed base of MUA's that present 
any form of DKIM results to the end user, so most of this technology 
still needs to be written and 4871bis contains sufficient warnings about 
duplicate From and other fields; so in my view the argument of DKIM not 
being 'compatible' with the currently installed base of MUA's does not 
apply.

Third, DKIM is only one of multiple technologies that can and will be 
deployed by both senders and receivers. This means that any policy 
published by a sender regarding the use of DKIM does not have to provide 
a sharp 'black' or 'white', 'keep' or 'discard' result. Senders that 
wish to publish a policy need to take into account that the world is not 
perfect and that there always will be lousy implementations of protocols 
(be it RFC5321, RFC5322, RFC4871 or RFC4871bis). [4] It's better to 
acknowledge this, than to rely on the 'MUST's in this particular DKIM 
RFC. Policies that do not take this into account, can/may have dramatic 
results.

Hence, I no longer see a problem in 4871bis not mandating the duplicate 
header check.

/rolf

[0] irrespective of whether a From field has been prepended or appended 
or no such thing at all
[1] (s) plural form, if there are multiple DKIM-Signatures and multiple 
 From fields.
[2] From is mentioned here only:
- because it is the only mandatory header field to be used to generate 
the signature and
- for the case that there's a consuming application that would display 
the From header, which in your view is the attack vector
Apart from that, there is no special reason to focus here on From
[3] although TEMPFAIL and PERMFAIL are mentioned in 4871, there is no 
equivalent identifier for a positive result, is there? I suggest to make 
the success status explicit in 4871bis
[4] The fact that a sender doesn't know in advance how well the receiver 
implements the DKIM verification process will need to be taken into 
account for any policy protocol that will be built on top of DKIM.
___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Re: [ietf-dkim] spam filtering 101

[Murray S. Kucherawy]

 -Original Message-
 From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] 
 On Behalf Of Alessandro Vesely
 Sent: Tuesday, June 28, 2011 12:13 AM
 To: ietf-dkim@mipassoc.org
 Subject: Re: [ietf-dkim] spam filtering 101
 
 +1, revising RFC 2505, whose date is in last century, should be due.

Actually I suspect this might be a different document, since the claimed attack 
isn't necessarily specific to spam.  Such a new document might make a lot of 
references to RFC2505.

On the other hand, if RFC2505bis was geared (and re-titled) toward more general 
abuse prevention, it would make more sense.

In any case, it seems unlikely this group will re-charter to do that, so 
someone could take it up as an independent submission or bring it to the 
APPSAWG or something like that.

___
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

[ietf-dkim] Pete's review of 4871bis

[Pete Resnick]

Folks,

I've been reviewing 4871bis for the IESG review on Thursday. I've got a 
huge number of comments. Some of them (e.g., the first two below) are 
quite trivial or simple issues that I expect you'd either have no issue 
with or that I'm happy to ignore; some of them are clearly not trivial 
at all. I have not entered a ballot position yet, and I haven't sorted 
through all of the comments to decide if any are worthy of entering a 
DISCUSS, but I suspect that some of them are. I therefore wanted to post 
this to the WG list so you all get an idea of what I'm thinking about. 
Tomorrow I'll spend some time cleaning these up and sorting them by 
category instead of by order of the document.

I apologize for the lateness of this review; it's probably something I 
should have done a long time ago.

Comments:

1. I find the use of the word INFORMATIVE throughout the document 
superfluous. No other word (e.g., NORMATIVE) is used in its place. I 
think they should all be removed. They serve no purpose.

2. The ABNF 0* construct is not normally used. Why not just *?

3. Section 2.7: I don't understand what the word module means in this 
context. It sounds like some sort of specific implementation, not part 
of a protocol. I don't know what it means to deliver values to a module.

4. Section 3.4.4:

   INFORMATIVE NOTE: It should be noted that the relaxed body
   canonicalization algorithm may enable certain types of extremely
   crude ASCII Art attacks where a message may be conveyed by
   adjusting the spacing between words.  If this is a concern, the
   simple body canonicalization algorithm should be used instead.

This is not an attack, or at the very least it is not an attack on DKIM. 
You can play this same game with MIME encodings or other textual tricks. 
I don't see any justification for this note being in this document.

5. Section 3.4.5:

   INFORMATIVE IMPLEMENTATION NOTE: Using body length limits enables
   an attack in which an attacker modifies a message to include
   content that solely benefits the attacker.  It is possible for the
   appended content to completely replace the original content in the
   end recipient's eyes, such as via alterations to the MIME
   structure or exploiting lax HTML parsing in the MUA, and to defeat
   duplicate message detection algorithms.  To avoid this attack,
   signers should be wary of using this tag, and verifiers might wish
   to ignore the tag, perhaps based on other criteria.

I don't understand how this is an attack. If the signer said, I'm 
signing the first n bytes of the body of this message and the verifier 
is able to verify that the signature is valid for n bytes of the body, 
the algorithm has succeeded. At most, this should lead to an admonition 
that unsigned data is not verified and therefore should not be trusted, 
but that seems obvious. There might be an attack on an MUA that does not 
verify the DKIM signature, but that seems outside the scope of this 
document.

6. Section 3.5:

v= Version (MUST be included).  This tag defines the version of this
   specification that applies to the signature record.  It MUST have
   the value 1.  Note that verifiers must do a string comparison on
   this value; for example, 1 is not the same as 1.0.

Why string comparison here? There's no case sensitivity to worry 
about. There's no character encoding to worry about. Why not instead 
say, Note that verifiers must (MUST?) ensure that the value is '1'; for 
exmaple '1' is not the same as '1.0'? (Seem similar text in 3.6.1.) And 
why is the value not listed as plain-text?

7. Section 3.5: It would be nice to subsection each tag here. (e.g., 
v= could be 3.5.1, etc.)

8. Section 3.5, h=:

It would be nice to add a sentence similar to the one in 5.4: The field 
MAY contain multiple instances of a header field name; this means that 
multiple occurrences of the header field are being signed by the signing 
algorithm.

9. Section 3.5, h=:

  INFORMATIVE EXPLANATION: By signing header fields that do not
  actually exist, a signer can allow a verifier to detect
  insertion of those header fields after signing.  However, since
  a signer cannot possibly know what header fields might be
  created in the future, and that some MUAs might present header
  fields that are embedded inside a message (e.g., as a message/
  rfc822 content type), the security of this solution is not
  total.

a. I don't understand what MUAs presenting header fields that are 
embedded inside a message has to do with anything.

b. I don't know what the words, the security of this solution is not 
total are supposed to mean.

Don't you simply mean: However, since a signer cannot possibly know 
what header fields might be defined in the future, this mechanism can't 
be used to prevent the addition of any possible unknown header fields.?

10. Section 3.5, h=: