Eric Rescorla wrote:
>> If I see a message which is DKIM signed by iecc.com and
>> iecc.com is on my "DKIM white-list" this is pretty useful
>> info right?
[...]
> The scenario you cite is likely of *some* utility but
> it's not clear how much, or if it exceeds the cost of
> implementation and design. The answer to that question
> depends on (at minimum) (1) what the false positive
> rate would have been without the whitelisting
What's the question without the white list ? If you don't
know iecc.com then it's a random stranger, and you're not
very interested to check his signature - unless "stupid
spammer unable to create a proper PASS" is important for
you.
> (2) the degree of predictability about whitelist contents
> (for attackers),
Yes, if the attacker doesn't get this right he loses, and
that's already the case today without DKIM or other schemes
to check white listed sources. When I get mail from XXXX
claiming that I'm a customer it's a phish, because I am no
XXXX customer. And if it's from YYYYYY hitting my inbox
or junk folders it's also a phish, I am an YYYYYY customer,
but the address used by YYYYYY for mail to me would never
hit my inbox or junk folder, it goes to a "secret" folder.
The latter approach is obviously shaky, adding some "PASS"
result as offered by DKIM and SPF could improve it. But
then it must be extremely hard to get a PASS for YYYYYY
for an attacker, otherwise I'd be better off without it.
> (3) the level of zombie infection--or more precisely
> potential zombie infection--of the domains which are on
> the whitelist.
If YYYYYY is controlled by a spammer I lose. In Arvel's
example all he can then do is to discuss it with iecc.com
and remove them temporarily from his white list. Or he
needs two white lists, one with trusted sources, a second
white list for less reliable sources with zombies.
But your point (3) is about the content of the white list,
not about a scheme like DKIM used to check mail claiming
to come from a white listed source.
> It's not clear to me that we have good data on any of these
> questions, let alone an analysis that incorporates all of
> them.
Your 3rd point is a hopeless case, you can only document
it: "trusted source + PASS => good" doesn't work if the
source is compromised.
Bye, Frank
_______________________________________________
ietf-dkim mailing list
http://dkim.org
