On Sat, 2006-01-14 at 05:40 +0100, Frank Ellermann wrote: > Douglas Otis wrote: > > That leaves us with one interesting case, "open-ended" signing > policy without related signature, but a PASS for a third party > signature. In that case complaints should be of course sent > to the signing-domain, not to the signing policy domain owner > (or to the From address, maybe replacing the LHS by abuse@).
Absolutely. Which is why it is wrong to include a reporting vector in the email-address domain owner's policy statement. The reporting vector should be solely defined for the signing domain. > I don't see any specific threat here related to "open-ended" > or "closed" policies. No signature is like NEUTRAL, receivers > can't do much with it (except from screwing-up), it's a polite > form of saying "thanks for supporting DKIM or SPF resp., but > for this mail you wasted your time". The email-address domain owner _may_ be held culpable for "open-ended" policies as these allow abuse. Although such treatment would be unfair, nevertheless being unfair, intentionally or not, would be beneficial to larger domains. Not defining the publishing any "open-ended" policies within the SSP draft would prevent this concern, as would removing the reporting vector. DKIM should make it clear the signing-domain and _not_ the email-address domain must be held accountable. > Finally, why should bad actors intentionally try to abuse > addresses with "open-ended" policies ? IMO that's a stupid > plan, receivers used to get "SPF PASS" or "DKIM valid" or what > else would of course look twice if they suddenly get only a > NEUTRAL or no signature or a broken signature. Consider the situation where the majority of email with a DKIM signature is done by providers that place no restrictions upon the email-address. Of those emails where the email-address has a policy record that affirms third-party signatures are used, this will likely obtain a higher ratings over email-addresses where nothing has been affirmed. Just as not publishing a reporting vector in the email-address policy prevents Really Stupid(tm) behavior, not publishing "open-ended" policies prevents the same Really Stupid(tm) behavior. > > I don't think there is any question that a closed policy will > > prevent the use of most list servers, for example. Posting > > to a list is a common use. > > Nothing forces domain owners to publish closed policies, we've > already discussed this. The WG charter says that the WG will > consider mailing lists, and that's a topic for the SSP draft. Publishing a closed policy is okay for those domains that do not mind disrupting common practices. At the same time, those domain owners should also be aware this may only change the nature of abuse, such as increasing the prevalence of display-name, look-alike, tld, and hyphenated attacks. For those domains, such as access providers, that do not wish to disrupt their customers use of email, the act of the provider signing email (a good thing) may put their customers at risk when their customers are coerced into publishing some type of open policy. Not providing any open-ended, or third-party signer listings mechanisms should curtail coercive tactics or unfair reputations placed upon the email-address domain owner. This can be done while _still_ allowing closed polices. > And also for the base draft wrt invalidated signatures. But > IMO not for the threats draft. Unrelated, there are now some > IETF pages for the WG: <http://tools.ietf.org/wg/dkim> Bye Thank you for the link. : ) -Doug _______________________________________________ ietf-dkim mailing list http://dkim.org
