I-D Action:draft-otis-dkim-adsp-sec-issues-01.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

A New Internet-Draft is available from the on-line Internet-Drafts directories.

	Title           : DKIM Author Domain Signing Practices (ADSP) Security Issues
	Author(s)       : D. Otis
	Filename        : draft-otis-dkim-adsp-sec-issues-01.txt
	Pages           : 15
	Date            : 2008-08-18

The proposed [I-D.ietf-dkim-ssp] defines DNS records that advertise
the extent to which a domain employs [RFC4871] to sign [RFC2822]
messages, and defines how other hosts can access these
advertisements.  Its laudable goal is to allow domains control over
the use of the From header field.  When a message is not adequately
signed, advertised assertions, referenced by a domain in the From
header field, assist in resolving the message's intended disposition.

However, [I-D.ietf-dkim-ssp] fails to discern that restricted
identities imposed upon remote signing agents, require additional
control be afforded the domain, irrespective of the domain's
advertised practices.  [I-D.ietf-dkim-ssp] employs a flawed two-stage
signature validation process that occurs in conjunction with
advertised practices.  The two stage approach impairs the range of
authentication assertions and related security tactics.  Advertised
practices not only determine whether a signature should be expected,
they may constrain the "on-behalf-of" identity applied by signing
agents that are not otherwise so restricted.  By constraining the
"on-behalf-of" identity for all signing agents, the draft neglects
the predominate role of the domain as a point of trust, and
incorrectly assumes the signature is limited to supporting assertions
regarding the identity of the author.  In addition, the only directly
actionable practice is defined using a term that is likely to
negatively impact the integrity of delivery status.

[I-D.ietf-dkim-ssp] impairs security in other ways as well, but
fortunately minor changes to the definition of a valid signature can
significantly remedy the most critical security issue.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-otis-dkim-adsp-sec-issues-01.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
<ftp://ftp.ietf.org/internet-drafts/draft-otis-dkim-adsp-sec-issues-01.txt>
_______________________________________________

I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux