Re: [dmarc-discuss] DKIM vulnerability overview

Wed, 25 Oct 2017 11:27:08 -0700 

On 10/25/2017 8:01 AM, John Levine via dmarc-discuss wrote:

There is nothing whatsoever new in this article.




     1. The fact that some folk know about these issues and that they 
were talked about at some point in time and that there is an obscure 
record of those discussions does not mean that these issues are 
well-documented or well-understood broadly.  However these issues are 
important, to the level of being fundamental, in understanding the 
benefits and limits of DKIM.  Consequently, a document that considers 
these issues well and is published for stable citation would be helpful. 
 We should strongly consider producing such a treatment, with a title 
like "DKIM Pragmatics" or the like.




     2. The article in question might have the right intentions -- and 
it does highlight important points that are not widely understood and 
whose implications are often missed -- but it fails at its start.  In 
the Summary:


   "DKIM is... one of the major ways currently used to combat sender
   spoofing in e-mail"


No, DKIM is not.  It doesn't try to be, so it's not interesting that it 
doesn't accomplish this.



DKIM is a way of reliably and accurately associating /some/ valid 
identifier to a message.  That's all, though that's quite a lot, IMO.


   "This is considered a proof that the mail was actually sent by the
   mail server responsible for the senders domain."


While that interpretation is valid for the way some sites do their 
signing, it is not part of DKIM's standard semantic.  This distinction 
is not small.



SPF is often also considered to accomplish spoofing prevention but since 
it is mostly keyed off of the SMTP Mail-From command, its semantics, 
too, have nothing to do with interesting, user-visible spoofing.  DMARC, 
of course, very much does, but that's a value-added semantic layer above 
DKIM and SPF.




I haven't bothered with a detailed critique of the paper.  I'd rather we 
consider producing a vetted version of document that has a similar 
intent, but is more careful and accurate in its technical detail.  (It's 
possible this article is a good start; that would be for discussion...)


d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)






















					Reply via email to