On Wed 16/Aug/2023 15:26:43 +0200 Laura Atkins wrote:
On 16 Aug 2023, at 12:59, Alessandro Vesely <[email protected]> wrote:
On Wed 16/Aug/2023 11:17:50 +0200 Laura Atkins wrote:
On 16 Aug 2023, at 09:57, Alessandro Vesely <[email protected]> wrote:
How about enacting common sense rules such as Never sign anything without reading
the small print? In the same way that users agree to any Terms & Conditions
without reading, domains sign any mail their users send without knowing. Decadent
practices, aren't they?
Can you expand on this? I’m not sure I understand how reading the content will
fix the problem. Spam is an issue of volume mostly.
Avoiding to /sign without knowing/ could perhaps partially solve the problem.
Reading the content was just for comparison with signing agreements.
Without knowing what, though? I am just not understanding what
Sorry, I meant without knowing who is the author.
According to RFC 6373, "DKIM separates the question of the identity of the
Signer of the message from the purported author of the message." Yet, an open
signer is for DKIM the equivalent of what an open relay is for SPF.
Does Google know the real ID of its users? I'd guess in many cases they do;
for example, Google does payments and bank stuff which do require real IDs (I
pay, therefore I am). Nevertheless, they sign all email messages with the same
d=gmail.com, irrespective of user reputation.
I fully understand the right to anonymity. I know it's in the First Amendment,
in the US. However, I figure users should trust their mailbox providers enough
to disclose their real ID. The minority of people who really need to care
about that can always find a provider in countries where ISPs cannot be forced
to disclosure, or suffer sending lower grade mail.
Would that be an acceptable kind of solution?
I’m not sure I understand how this is a solution. As Evan and Emanuel have both
said the bad actors have access to many thousands of accounts that look like
real accounts. In my own experience, they have access to validating credit
cards which is one of the most common ways to validate a real identity online.
There is an ongoing effort to safeguard digital identities (and plaguing people
with 2FAs). Checking IDs must be possible, and should be done in a number of
cases. Perhaps free mailbox providers could contribute...?
But 2FAs isn’t a realID, it’s just 2FA.
True. When I happen to need 2FA it is for sites who know my real ID. Yet 2FA
by itself doesn't bring that info.
Before digressing about methods, the question is whether limiting signing to
known (good) users could mitigate the replay problem. Suppose an ESP or MP
only signs mail authored by people who subscribed more than one month ago, and
whose ID was verified less than six months ago. Would that diminish replay
attacks by any amount?
Given what I know of how spammers work, one month and 6 months to warm an
account is trivial and something that a lot of spammers already bake into their
setup processes.
You know this subject better than I. I just said 6 months after how orgs like
PGP Global Directory and Let's Encrypt behave. Let's not digress about methods
for a moment.
In the UE there are electronic ID cards issued by governments. In Italy, the
government additionally established SPID[*] whereby private ID providers can
grant access to various sites. They are both grounded on credentials emitted
after in person contact. Banks don't use SPID, but AFAIK require in person
contact in order to create accounts.
Then, obviously, any method to verify an ID has weak points and bad actors will
always slip through the cracks. However, with what percentage of success?
Since we're interested in volumes, a relevant quote of success is enough.
Email addresses are already often used as digital IDs, and I'm sure MPs make
considerable efforts to keep them safe. Yet, that can be improved. To wit,
while I saw several times Google vans acquiring the reality of streets, I never
saw a Google officer acquiring the reality of user IDs. How do large MPs
manage accounts? Don't they categorize them with some sort of trust indicator,
like, say, inactive accounts, personal accounts, amount of traffic, in/out
ratio, percentage of bounces and the like? The kind of solution I'm trying to
propose is about why DKIM signatures don't vary according on such indicator —if
it exists.
The digital environment which is emerging deserves valid IDs anyway. For
example, are we able to enter job positions or sign agreements online? Such
abilities can be easily seen as a must for economic boost. So can we assume
that it is possible to determine real IDs of email accounts with reasonable
accuracy?
To repeat my questions, then, would limiting (qualified) DKIM signatures to
verified accounts diminish replay attacks by any amount? Is this kind of
solution acceptable?
Best
Ale
--
[*] https://www.spid.gov.it/en/what-is-spid/
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
