[ietf-dkim] New Issue: 4.2 needs new Attack Item: Inconsistent Signature vs Policy Attacks

Suggested correction to TA: Add a new attack item: Inconsistent Signature vs. Policy Attacks Impact: High Likelihood: High If a new column "Detection/recovery" is added as suggested in a previous TA review comment, then this would change to: Inconsistent Policy Attacks

Re: [ietf-dkim] New Issue: 4.2 needs new Attack Item: Inconsistent Signature vs Policy Attacks

My comment here is really about the relationship between DKIM and the SSP: what Hector is describing below implies to me that we need to know up front whether or not an SSP should be applied. This can be accomplished in several ways: 1) always look for the SSP, as Hector suggests; 2) add informatio

[ietf-dkim] Expectations for the threat draft

A review of the DKIM threat draft may help establish realistic expectations for the role that DKIM might play. This review should not be seen as either condemnation or endorsement, but rather estimating the service DKIM is able to safely provide as a valuable extension to SMTP. A stateme

Re: [ietf-dkim] New Issue: 4.2 needs new Attack Item: Inconsistent Signature vs Policy Attacks

SSP is ability to indicate policy for email address, i.e. when you see address in from you can check to find if emails from that address are supposed to be signed. If you only check policy record when you see a signature - this pretty much breaks the reason for having such policy record in the fi

Re: [ietf-dkim] New Issue: 4.2 needs new Attack Item: Inconsistent Signature vs Policy Attacks

Folks, Tony Hansen wrote: My comment here is really about the relationship between DKIM and the SSP: what Hector is describing below implies to me that we need to know up front whether or not an SSP should be applied. Having tracked this discussion, for a bit, I am not understanding how it

[ietf-dkim] When will we know the Threat Analysis document is complete

Folks, Jim has put in quite a bit of effort on the Threat Analysis document. Multiple iterations of a document, with revisions that are highly responsive to community feedback, usually makes for a document that is finished. In the current case, I find myself entirely unclear how we will know

[ietf-dkim] Re: New Issue: 4.2 needs new Attack Item: Inconsistent Signature vs Policy Attacks

Tony Hansen wrote: > 1) always look for the SSP, as Hector suggests; > 2) add information to the DKIM DNS record to indicate that >the SSP should always be looked for; > 3) incorporate the SSP information into the DKIM DNS record; > or 4) some other ways I'm not thinking of at the moment. Do

Re: [ietf-dkim] New Issue: 4.2 needs new Attack Item: InconsistentSignature vs Policy Attacks

- Original Message - From: "william(at)elan.net" <[EMAIL PROTECTED]> > SSP is ability to indicate policy for email address, i.e. when you see > address in from you can check to find if emails from that address are > supposed to be signed. If you only check policy record when you see a > s

Re: [ietf-dkim] New Issue: 4.2 needs new Attack Item: InconsistentSignature vs Policy Attacks

- Original Message - From: "Dave Crocker" <[EMAIL PROTECTED]> > Can someone clarify how this is within scope for the > current deliverable? Hm, Dave, as requested by Jim and Stephen, I racked my brains trying to mold this NEW ISSUE entry in the best possible manner that would cater

Re: [ietf-dkim] Re: New Issue: 4.2 needs new Attack Item: Inconsistent Signature vs Policy Attacks

On Jan 30, 2006, at 1:07 PM, Frank Ellermann wrote: Doug proposed to copy the SSP into the signature as shortcut for any "check SSP only for valid signatures" strategy. If I understood his proposal correctly. Apparently that has the same effect as your point (3), and if possible (3) is

Re: [ietf-dkim] New Issue: 4.2 needs new Attack Item: Inconsistent Signature vs Policy Attacks

Hector, Hector Santos wrote: Suggested correction to TA: Add a new attack item: Inconsistent Signature vs. Policy Attacks Impact: High Likelihood: High I think there's a fair enough point there all right though getting the wording right might be tricky. In 4.1 we do hav

Re: [ietf-dkim] When will we know the Threat Analysis document is complete

Dave, Dave Crocker wrote: Folks, Jim has put in quite a bit of effort on the Threat Analysis document. Multiple iterations of a document, with revisions that are highly responsive to community feedback, usually makes for a document that is finished. In the current case, I find myself ent

Re: [ietf-dkim] When will we know the Threat Analysis document is complete

Stephen This is always tricky and the short answer is that we won't know since there may always be a vulnerability that we didn't think about. Frankly, given the long history of Bad Actor creativity, I assume that the there is no issue of "may" but the certitude of "will". Nonetheless, the

Re: [ietf-dkim] When will we know the Threat Analysis document is complete

Dave Crocker wrote: The question is whether we are getting comments from the necessary folk? The Security Area has a long history of being quite good at finding (legitimate) flaws. So the rest of us might well engage in super-human diligence and still not satisfy the folks with an effective

Re: [ietf-dkim] When will we know the Threat Analysis document is complete

Fair question. Barry and I already did seek some review and intend asking again when we're at the start of last call. I'd encourage others on this list to do the same if you can get additional review of the draft. Sounds good. Not sure what more we can do. But suggestions are welcome. M

Re: [ietf-dkim] New Issue: 4.2 needs new Attack Item: Inconsistent Signature vs Policy Attacks

- Original Message - From: "Stephen Farrell" <[EMAIL PROTECTED]> To: "Hector Santos" <[EMAIL PROTECTED]> > Note - I don't think we should get into solutions in the threats > draft, though the considerations from Tony's mail should come back > up for discussion later. Unbelievable. :-) T

Re: [ietf-dkim] When will we know the Threat Analysis document iscomplete

- Original Message - From: "Dave Crocker" <[EMAIL PROTECTED]> To: "Stephen Farrell" <[EMAIL PROTECTED]> >> important. Silence on this produces no evidence (nor btw would >> simple acclaim). > > The question is whether we are getting comments from the necessary folk? You know, I take offe

Re: [ietf-dkim] New Issue: 4.2 needs new Attack Item: Inconsistent Signature vs Policy Attacks

Hector Santos wrote: - Original Message - From: "Stephen Farrell" <[EMAIL PROTECTED]> To: "Hector Santos" <[EMAIL PROTECTED]> Note - I don't think we should get into solutions in the threats draft, though the considerations from Tony's mail should come back up for discussion later.

RE: [ietf-dkim] When will we know the Threat Analysis document iscomplete

> [mailto:[EMAIL PROTECTED] On Behalf Of Stephen Farrell > Dave Crocker wrote: > > The question is whether we are getting comments from the > necessary folk? > > > > The Security Area has a long history of being quite good at finding > > (legitimate) flaws. So the rest of us might well engage

[ietf-dkim] DKIM Support and Deployment lists for organizations

Folks, A useful measure of an IETF effort is the amount of community support it has. For DKIM, we have assembled an initial list of organizations willing to be counted as supporting the effort. Please take a look at . If you wish to have you

Re: [ietf-dkim] DKIM Support and Deployment lists for organizations

On Jan 30, 2006, at 3:19 PM, Dave Crocker wrote: Folks, A useful measure of an IETF effort is the amount of community support it has. For DKIM, we have assembled an initial list of organizations willing to be counted as supporting the effort. Please take a look at

Re: [ietf-dkim] Attempted summary, SSP again

Hector Santos wrote: - Original Message - From: "Jim Fenton" <[EMAIL PROTECTED]> Please don't overreact. I would have spoken up sooner if I had understood the disconnect and if I thought that your interpretation was as broken as you seem to think it is

Re: [ietf-dkim] Attempted summary, SSP again

- Original Message - From: "Jim Fenton" <[EMAIL PROTECTED]> To: "Hector Santos" <[EMAIL PROTECTED]> > What I said (http://mipassoc.org/pipermail/ietf-dkim/2005q4/001242.html) > was: > So I don't think I'm contradicting myself, and I don't think > we need to work out the details for the -t

Re: [ietf-dkim] When will we know the Threat Analysis document iscomplete

You know, I take offense to that statement. Who are the necessary folks Dave?If your form of thinking that necessary input come from selected people, then why don't cry out to them and ask for their input. Statements like this doesn't impress me at all and its a good reason why I have such

Re: [ietf-dkim] DKIM Support and Deployment lists for organizations

Doug, Sorry, but I have no idea what your note means, and particularly have no idea what, if any action, I am supposed to take. I do not know what the "oops" is and, as nearly as I can tell, the supporters page does not list trendmicro. d/ Douglas Otis wrote: On Jan 30, 2006, at 3:19 PM,