On Nov 21, 2006, at 7:49 PM, Hector Santos wrote:
Douglas Otis wrote:
It remains conjecture an authorization scheme provides a
measurable reduction in the success rate. As bad actor are able
to authorize their own messages in various forms, an authorization
scheme may increase the success rate of phishing attempts.
Recipients are not protected by such a highly flawed scheme.
I don't understand why you make it so difficult.
If I say "all may mail is signed" and that expectation is defined
based on a standard SSP protocol established, then a RECEIVER and
the original DOMAIN owner should be as happy as a pig in mud when
fraudulent MAIL is arriving without signatures.
This presumes bad actors are blocked by an easily defeated scheme.
Guidance offered by SPF suggests the numbers blocked is less than
3%. In addition, blocking is not as black and white as you suggest.
What happens when someone sends a message to a mailing list?
Bad actors easily create messages that appear official and blessed by
their authorization record. The recipient is still in the muck
sorting through fraud while attempting to uncover a bad actor's many
tricks. With EAI, there are now two email-address published per From
entity. Which email-addresses is checked? What part of the email-
address is displayed, if any? An authorization scheme alone benefits
bad actors.
The first thing that we will be getting rid of is the legacy
malicious exploiters of domains who are not going to following
anything or would care for anyway.
Are you talking about including policies for the Mail From as well?
But sure, bad actors can participate in the DKIM/SSP process and in
my view, that is great if we can get them to ADAPT in a positive
way - our way.
The recipient is still lost attempting to decide which messages are
valid. Look-alike and cousin domain ploys are not defeated. Without
evidence there is any value validating the DKIM signature, it should
not be done. Here domain association techniques can play a greater
role than would any authorization scheme. If there is any
authorization scheme added, it would be practical in only a very
small portion of domains sending messages. Hardly worth the overhead.
That is where the additional layers come into play, such as
REPUTATION if that is what the receiver wants to use to further
give credence to a DKIM-ready message.
Without a means to prevent positive reputations (white-listing) from
being abused, positive reputation use is highly prone. Anti-replay
protections require some means to associate DKIM signing with the
SMTP client. SPF does not offer a safe method for this association.
As the envelope is not included within the DKIM signature,
unsolicited messages can not accrue against the signing domain. It
would be a bad outcome when messages are rejected because envelopes
do not match message headers.
The goal is to eliminate the obvious and that obvious comes in
detecting the invalid conditions and if a DOMAIN exposes a policy
implying invalid conditions were not expected, then all the
receiver needs to junk or do something with that message and the
receiver and original domain would be protected. We don't need an
MUA to get an involved.
In an ideal world, perhaps. Limiting this effort to only
authorization is the wrong choice. While the MTA might be able to
block 2.5% of non-compliant messages, the success rate of phishing
will hit a new high, and the integrity of email delivery will hit a
new low. DKIM requires the MUA to annotate messages. The DKIM
signature is not visible _by design_. There is no assurance what the
recipient sees in a non-DKIM aware MUA. This must change, and
efforts must focus upon message annotations. Once the recipient has
an MUA that compares signed messages against their address-book,
there is _absolutely_ no need for an authorization scheme, the
sizable overhead, and the many delivery problems with incumbent
support calls.
Why not allow the MUA to safely apply annotations based upon a
recipient's out-of-band knowledge of the sender. What annotations
can be applied based upon an email-address domain authorizing their
own messages? None. When authorization is the only goal, then
practical, safe, and reasonable has been completely missed.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
