Re: [ietf-dkim] DKIM Japan has been set up
--On 23 November 2010 12:18:44 -0500 John R. Levine jo...@iecc.com wrote: Actually, they're complementary. In places where DKIM fails (mailing lists rewriting messages), SPF can succeed. Haven't we been over this a hundred times already? It's ADSP, not DKIM, that fails on mailing list mail. DKIM works just dandy, when lists sign their mail like this one does. A good point. And SPF works just dandy if the intermediary uses SRS. I'll rephrase: Unless the intermediary co-operates by re-signing, mailing lists can break DKIM signatures. Since mailing lists generally use their own rfc5321 return paths, SPF failures should not result. Of course, a broken DKIM signature is equivalent to none at all. You should not reject or discard mail on this basis, but you do lose the ability to assign signer domain based reputation to the message. Unless the intermediary co-operates with SRS, or similar, *forwarding* can result in SPF failure. Since forwarders generally don't change the message content, DKIM signatures should remain intact. -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
Ian Eiloart: Unless the intermediary co-operates by re-signing, mailing lists can break DKIM signatures. Since mailing lists generally use their own rfc5321 return paths, SPF failures should not result. Of course, a broken DKIM signature is equivalent to none at all. You should not reject or discard mail on this basis, but you do lose the ability to assign signer domain based reputation to the message. Unless the intermediary co-operates with SRS, or similar, *forwarding* can result in SPF failure. Since forwarders generally don't change the message content, DKIM signatures should remain intact. Please do not confuse mailing lists with email forwarding. The two are different things. It is not helpful to take an argument from one context and use that to prove a point in the other context. Wietse ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
--On 24 November 2010 09:53:41 -0500 Wietse Venema wie...@porcupine.org wrote: Ian Eiloart: Unless the intermediary co-operates by re-signing, mailing lists can break DKIM signatures. Since mailing lists generally use their own rfc5321 return paths, SPF failures should not result. Of course, a broken DKIM signature is equivalent to none at all. You should not reject or discard mail on this basis, but you do lose the ability to assign signer domain based reputation to the message. Unless the intermediary co-operates with SRS, or similar, *forwarding* can result in SPF failure. Since forwarders generally don't change the message content, DKIM signatures should remain intact. Please do not confuse mailing lists with email forwarding. The two are different things. It is not helpful to take an argument from one context and use that to prove a point in the other context. I'm not confusing the two. DKIM and SPF both permit the use of domain based reputation databases. Unfortunately, both have problems with various paths that emails may take. Fortunately, the problematic paths are different - mailing lists are problematic for one, and forwarding is problematic for the other. My point that DKIM and SPF can complement one another therefore relies on an understanding that mailing lists are not forwarders. Wietse ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
On 11/23/2010 5:50 AM, Tony Hansen wrote: Instead of using failed DKIM signatures as a way to blacklist messages and potentially discard them, I suggest you concentrate on ways to use verified DKIM signatures along with reputation mechanisms in order to whitelist messages. +10 d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
--On 22 November 2010 09:25:26 -0800 Steve Atkins st...@wordtothewise.com wrote: ADSP is better than SPF, but it's still not something anyone should consider deploying widely as a primary means of deciding to discard inbound email. Actually, they're complementary. In places where DKIM fails (mailing lists rewriting messages), SPF can succeed. And in places where SPF fails (message forwarding), DKIM can succeed. Messages can have a reasonable level of trust if they achieve either an SPF pass for a trusted domain, OR an DKIM verification for a trusted signer. Of course, you still need to check for malware and be wary of messages from compromised accounts. Deployment of SPF and DKIM are both low enough that you can't either reject or discard messages simply because they don't pass or verify. But, we already give a small negative spam score for SPF softfail and neutral results, and haven't had any complaints. For DKIM it's harder, but for certain author domains (including those that publish ADSP discardable, it might be worth considering downgrading messages - especially when combined with SPF fail/neutral/softfail). -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
John R. Levine jo...@iecc.com wrote: We really need a FAQ for this group. Simply publishing an ADSP record does not change this fact. ADSP can perhaps be used productively for specific signers and verifiers, but it does not work for all legitimate scenarios. What does work for all legitimate scenarios? Short answer: nothing. Right. It also doesn't wax my car, which is equally relevant. ADSP certainly isn't ideal, but (unlike the rest of your message) saying something does not work for all legitimate scenarios is not a useful contribution to the discussion. Scott K ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
--On 23 November 2010 02:06:17 +0900 Tsuneki Ohnishi ts...@infomania.co.jp wrote: 5068 Well, it's just a newbie's idea, so may be totally unacceptable. But please understand that we're heavily committed. Gotta find a way through. My view is that this is a long term game. You can help by encouraging uptake of DKIM, and deploying domain based reputation engines. If your major public ISPs, corporate, and government sites make use of these things, then deliverability will be improved for legitimate mailers who deploy DKIM. You also need to encourage deployment of RFC5068, in order that sent emails are more likely to be properly routed through the relevant DKIM signing engines. http://www.apps.ietf.org/rfc/rfc5068.html I'd also suggest deploying SPF as a complimentary technology. Most email paths preserve either DKIM or SPF, even when one or other is not preserved. They both permit the use of domain based reputation engines, although the domains protected will not always be the same. Finally, promote the use of MTAs that can verify DKIM during the SMTP session. This way, messages can be rejected rather than discarded, if there's a problem. Rejection of messages at SMTP time permits the sender to be aware of problems with false positives. -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
Actually, they're complementary. In places where DKIM fails (mailing lists rewriting messages), SPF can succeed. Haven't we been over this a hundred times already? It's ADSP, not DKIM, that fails on mailing list mail. DKIM works just dandy, when lists sign their mail like this one does. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
Hi Tsuneki, first of all, since I write, let me make my welcome-on-list explicit! On 22/Nov/10 03:43, Tsuneki Ohnishi wrote: Senders in dkim.jp are committed to attach DKIM signature withing 6 months, and possibly ready to write their ADSP discardable. Since we have major ISPs on our member list and they are very willing to discard unveryfied emails, no surprise about it :-), we are trying to inch up to the level where all domestic emails are signed and verified. I hope you'll get replies more qualified than mine... FWIW, I suggest you do not use ADSP that way. But there is a small problem. It is rather political. We have a telecommunication law that allows ISPs to discard forged email, but our Ministry so far does not acknowledge that failure of DKIM verification immediately equals to forgery, because there could be other reasons to fail. IMHO, your Ministry is correct. We can fight about it taking time to get through to dull Japanese bureaucracy, but I think there is a faster way. It is to let senders to have an option to declare that if there is no DKIM signature at all, verifiers can discard those messages. Then we can shut their mouths insisting there could be other reasons. As an alternative, it is the recipients who may eventually decide they are not interested in receiving unsigned contributions to their inboxes, unless they have other means to identify those messages. IMHO, such decision should be made by each recipient individually. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
Thanks for your comment, Hector and Alessandoro. I understand your point. First, Alessandoro, let me reply to your comment. Yes, very true, it is recipients' choice to discard messages. But in fact, that choice is lost for now because our Ministry does not allow that. My idea was to build another level of ground where the author, recipients and the Ministry can agee on, if-no-sig then discardable. And I see your point, Hector. If we draw a line between Sig and No-sig, that would allow broken signature to be accepted. But as you poited out, bad guys still remain in legacy operation, so the line between Sig and No-sig works for the time being. I know that it is not the best way to do it, but it could be a practical step to the wider adoption. Because if that option gets valid, I am sure more authors would choose it at least here in Japan. I don't think that undermines the effectivenes of DKIM, because one can always rewrite his ADSP 'discaradable' if the bad guys start spoofing with forged signatures. Well, it's just a newbie's idea, so may be totally unacceptable. But please understand that we're heavily committed. Gotta find a way through. Tsuneki Ohnishi infomani@ Inc. On 2010/11/22, at 18:16, Alessandro Vesely wrote: As an alternative, it is the recipients who may eventually decide they are not interested in receiving unsigned contributions to their inboxes, unless they have other means to identify those messages. IMHO, such decision should be made by each recipient individually. On 2010/11/22, at 14:49, Hector Santos wrote: Tsuneki Ohnishi wrote: So, my point is that what do you think of the idea to have an new entry in ADSP discard-if-no-sig, which allows senders to declare messages without DKIM signature should be discarded? If that's possible, it makes our job a lot easier and faster. Hi. You are basically asking to make a distinct difference between: 1) a real no signature message versus 2) a message who's signature is broken (invalid). The DKIM specification says that a broken signature is the same as no signature message. It is important to know the difference because if you are concern about a Real No-Sig versus a Broken one where a Real No-SIG is discarded but a Broken one is not, then whats to stop the Bad Guy from adding a broken signature by design and for the sole purpose of making sure the message is now indeterminate and you don't filter it? The problem with DKIM is the is the stuff in the middle - A real no-sig message can be made to work, as well as when there is a valid signature. It the faults of the system that is challenging - what do you do with failures and what makes it even more difficult is the specifications has evolved to one where where any system, middle-ware or hop, can break or remove an author domain signature without restrictions. This was done to appease the LIST managers, 3rd party signer and the reputation market. IMO, I think DISCARD should cover what you want, but you have to view it as a strong policy with no exceptions, i.e., a broken signature is just as bad as no-signature and more importantly, no interference or 3rd party signers can override the message author domain security expectations. If you allow for broken signatures to be acceptable partially or otherwise in an ADSP setup, then it just confuses the intent and it potentially feeds bad guys to give you broken signatures because that is OK by you. Right now, there is no incentive for bad guys to adapt or change. They can remain in legacy operations (no signature) because there is no wide adoption or foundation for DKIM policies or the handling of policy faults. Having a MUST SIGN policy widely adopted (and supported) would begin to make a change in legacy operations. They will most likely avoid your POLICY protected domain. But if you allow for broken ones, then they can adapt by adding a spoofed but broken signature. -- Hector Santos, CTO http://www.santronics.com --_ 株式会社インフォマニア ≫ http://www.infomania.co.jp/ 代表取締役 大西恒樹 ≫ TEL 045-914-5304 FAX 5404 迷惑メールフィルター ≫ http://www.answre.jp/ Pizzeria マルターノ ≫ http://www.martano.jp/ twitter アカウント ≫ mjwords - ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
On 11/21/2010 6:43 PM, Tsuneki Ohnishi wrote: But there is a small problem. It is rather polical. We have a telecommunication law that allows ISPs to discard forged email, but our Ministry so far does not acknowledge that failure of DKIM verification immediately equals to forgery, because there could be other reasons to fail. There are technical and operational reasons that can cause legitimate mail that was originally signed with a legitimate DKIM signature, to fail to verify. The fact that a signer signs all their mail does not mean that all their mail will arrive with a valid signature. Simply publishing an ADSP record does not change this fact. ADSP can perhaps be used productively for specific signers and verifiers, but it does not work for all legitimate scenarios. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
On Monday, November 22, 2010 01:37:13 pm Dave CROCKER wrote: On 11/21/2010 6:43 PM, Tsuneki Ohnishi wrote: But there is a small problem. It is rather polical. We have a telecommunication law that allows ISPs to discard forged email, but our Ministry so far does not acknowledge that failure of DKIM verification immediately equals to forgery, because there could be other reasons to fail. There are technical and operational reasons that can cause legitimate mail that was originally signed with a legitimate DKIM signature, to fail to verify. The fact that a signer signs all their mail does not mean that all their mail will arrive with a valid signature. Simply publishing an ADSP record does not change this fact. ADSP can perhaps be used productively for specific signers and verifiers, but it does not work for all legitimate scenarios. What does work for all legitimate scenarios? Scott K ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
On 11/22/10 9:25 AM, Steve Atkins wrote: ... But if you're trying to stop mail that's being sent by a bad actor... give up on this approach, as it's trivial to add a fake DKIM header that will not authenticate. Also, it may discard quite a bit of legitimate email, if any of your users subscribe to mailing lists (some mailing list managers are likely to strip out DKIM headers in the cases where they know they'll invalidate them). Agreed. DKIM does not offer a comprehensive method to qualify the source of a message. Extensions, such as the TPA-Label scheme, could extend signing policy to include other authentication and authorization methods and retain delivery integrity. ADSP using just DKIM is likely to cause a significant loss of legitimate email, especially when DISCARDABLE is asserted. -Doug ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
We really need a FAQ for this group. Simply publishing an ADSP record does not change this fact. ADSP can perhaps be used productively for specific signers and verifiers, but it does not work for all legitimate scenarios. What does work for all legitimate scenarios? Short answer: nothing. Slightly longer answer: the problem with ADSP is that, based on my limited but I think credible statistics, most people who publish ADSP don't know what it means, so blindly following ADSP advice from random domains is more likely to discard real mail than phishes. There certainly are some domains that sign all their mail, don't mix individual with transactional mail, and are phish targets. Paypal.com is the standard example. Competently maintained lists of those domains would provide useful advice for discarding likely phishes. Back in June I wrote draft-levine-dbr-00, which describes Denounce-By-Reference, a simple way to publish such lists in the DNS. Anyone want to move it along? Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
Tsuneki, Tsuneki Ohnishi ts...@infomania.co.jp writes: Hi to all, I am Tsuneki Ohnishi and I would like to let you know that DKIM Japan(dkim.jp) has just been set up as of Nov 15, 2010. It's a non-profit organization and its main purpose is to share information and to clear the decks for the nationwide implementation of DKIM. Our board members consist of top major companies like Yahoo! Japan, Sendmail, Rakuten Inc., Nifty Corp, PIPED BITS Co.Ltd, and infomani@ Inc. Other members sum up to about 30 companies now, consisting of major ISPs, ebiz companies and security vendors. We also have the Ministry of Public Management, Home Affairs, Posts and Telecommunications as an observer. I am the company owner of infomani@ Inc and speaking on behalf of dkim.jp. What I would like to do here is to share information and possibly contribute to the community by giving feedback from what we're trying to do in Japan. I may ask some dumb questions since I am new here, but I hope I'm welcome. :-) Tsuneki Ohnishi infomani@ Inc. Welcome to DKIM world! Sadly, there is no man interested in DKIM in Korea. Go for it DKIM without stop, thanks! Sincerely, -- 소여물 황병희(黃炳熙) | .. 출항 15분전.. It's Johnny, he came to the wedding, what did I tell you? It's really your godson. -- Vito Corleone and Tom Hagen, Chapter 1, page 33 pgpbCXAwn4m4Z.pgp Description: PGP signature ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
Thanks, Bill, Mark and Byung-Hee for the warm welcome. Yes, we gotta start something somewhere and glad to let you know that we are staring something here. If possible, let's work together for the spread out in eastern asia, Byung-Hee. Well, let me give you the first feedback of what's been discussed at the point of implementation here, and I would like to ask your opinions. Here is our stuation. Members of dkim.jp so far circulate somewhat like 30% of domestic emails and a lot more forged emails coming from overseas, especially forged @yahoo.co.jp and @rakuten.co.jp. So with the initiative of those two companies and others, we got together to get rid of those forged emails. Senders in dkim.jp are committed to attach DKIM signature withing 6 months, and possibly ready to write their ADSP discardable. Since we have major ISPs on our member list and they are very willing to discard unveryfied emails, no surprise about it :-), we are trying to inch up to the level where all domestic emails are signed and verified. But there is a small problem. It is rather polical. We have a telecommunication law that allows ISPs to discard forged email, but our Ministry so far does not acknowledge that failure of DKIM verification immediately equals to forgery, because there could be other reasons to fail. We can fight about it taking time to get through to dull Japanese bureaucracy, but I think there is a faster way. It is to let senders to have an option to declare that if there is no DKIM signature at all, verifiers can discard those messages. Then we can shut their mouths insisting there could be other reasons. So, my point is that what do you think of the idea to have an new entry in ADSP discard-if-no-sig, which allows senders to declare messages without DKIM signature should be discarded? If that's possible, it makes our job a lot easier and faster. Thanks, Tsuneki Ohnishi On Sat, Nov 20, 2010 at 11:49:36AM +0900, Tsuneki Ohnishi allegedly wrote: Hi to all, I am Tsuneki Ohnishi and I would like to let you know that DKIM Japan(dkim.jp) has just been set up as of Nov 15, 2010. Welcome, Tsuneki, glad to have you join. It's great news to hear of such commitment. Who knows? Maybe .jp will be the first ccTLD to get comprehensive DKIM coverage. Wouldn't that be something! Mark. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
Tsuneki Ohnishi wrote: So, my point is that what do you think of the idea to have an new entry in ADSP discard-if-no-sig, which allows senders to declare messages without DKIM signature should be discarded? If that's possible, it makes our job a lot easier and faster. Hi. You are basically asking to make a distinct difference between: 1) a real no signature message versus 2) a message who's signature is broken (invalid). The DKIM specification says that a broken signature is the same as no signature message. It is important to know the difference because if you are concern about a Real No-Sig versus a Broken one where a Real No-SIG is discarded but a Broken one is not, then whats to stop the Bad Guy from adding a broken signature by design and for the sole purpose of making sure the message is now indeterminate and you don't filter it? The problem with DKIM is the is the stuff in the middle - A real no-sig message can be made to work, as well as when there is a valid signature. It the faults of the system that is challenging - what do you do with failures and what makes it even more difficult is the specifications has evolved to one where where any system, middle-ware or hop, can break or remove an author domain signature without restrictions. This was done to appease the LIST managers, 3rd party signer and the reputation market. IMO, I think DISCARD should cover what you want, but you have to view it as a strong policy with no exceptions, i.e., a broken signature is just as bad as no-signature and more importantly, no interference or 3rd party signers can override the message author domain security expectations. If you allow for broken signatures to be acceptable partially or otherwise in an ADSP setup, then it just confuses the intent and it potentially feeds bad guys to give you broken signatures because that is OK by you. Right now, there is no incentive for bad guys to adapt or change. They can remain in legacy operations (no signature) because there is no wide adoption or foundation for DKIM policies or the handling of policy faults. Having a MUST SIGN policy widely adopted (and supported) would begin to make a change in legacy operations. They will most likely avoid your POLICY protected domain. But if you allow for broken ones, then they can adapt by adding a spoofed but broken signature. -- Hector Santos, CTO http://www.santronics.com ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
On Sat, Nov 20, 2010 at 11:49:36AM +0900, Tsuneki Ohnishi allegedly wrote: Hi to all, I am Tsuneki Ohnishi and I would like to let you know that DKIM Japan(dkim.jp) has just been set up as of Nov 15, 2010. Welcome, Tsuneki, glad to have you join. It's great news to hear of such commitment. Who knows? Maybe .jp will be the first ccTLD to get comprehensive DKIM coverage. Wouldn't that be something! Mark. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[ietf-dkim] DKIM Japan has been set up
Hi to all, I am Tsuneki Ohnishi and I would like to let you know that DKIM Japan(dkim.jp) has just been set up as of Nov 15, 2010. It's a non-profit organization and its main purpose is to share information and to clear the decks for the nationwide implementation of DKIM. Our board members consist of top major companies like Yahoo! Japan, Sendmail, Rakuten Inc., Nifty Corp, PIPED BITS Co.Ltd, and infomani@ Inc. Other members sum up to about 30 companies now, consisting of major ISPs, ebiz companies and security vendors. We also have the Ministry of Public Management, Home Affairs, Posts and Telecommunications as an observer. I am the company owner of infomani@ Inc and speaking on behalf of dkim.jp. What I would like to do here is to share information and possibly contribute to the community by giving feedback from what we're trying to do in Japan. I may ask some dumb questions since I am new here, but I hope I'm welcome. :-) Tsuneki Ohnishi infomani@ Inc. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html