I-D Action:draft-otis-dkim-adsp-sec-issues-02.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

A New Internet-Draft is available from the on-line Internet-Drafts directories.

	Title           : DKIM Author Domain Signing Practices (ADSP) Security Issues
	Author(s)       : D. Otis
	Filename        : draft-otis-dkim-adsp-sec-issues-02.txt
	Pages           : 17
	Date            : 2008-09-04

The proposed [I-D.ietf-dkim-ssp] defines DNS records that advertise
the extent to which a domain employs [RFC4871] to sign [RFC2822]
messages, and defines how other hosts can access these
advertisements.  Its laudable goal is to allow domains control over
the use of the From header field.  When a message is not adequately
signed, advertised assertions, referenced by a domain in the From
header field, assist in resolving the message's intended disposition.

However, [I-D.ietf-dkim-ssp] fails to discern that restricted
identities imposed upon remote signing agents require additional
control be afforded the domain, irrespective of the domain's
advertised practices.  [I-D.ietf-dkim-ssp] employs a flawed two-stage
signature validation process that occurs in conjunction with
advertised practices.  The two-stage approach impairs the range of
authentication assertions and related security tactics.  Advertised
practices not only determine whether a signature should be expected,
they may constrain the "on-behalf-of" identity applied by signing
agents that are not otherwise so restricted.  By constraining the
"on-behalf-of" identity for all signing agents, the draft neglects
the predominate role of the domain as a point of trust, and
incorrectly assumes the signature is limited to supporting assertions
regarding the identity of the author.  In addition, the only directly
actionable practice is defined using a term that is likely to
negatively impact the integrity of delivery status.

[I-D.ietf-dkim-ssp] impairs security in other ways as well, but
fortunately minor changes to the definition of a valid signature can
significantly remedy the most critical security issue.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-otis-dkim-adsp-sec-issues-02.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
<ftp://ftp.ietf.org/internet-drafts/draft-otis-dkim-adsp-sec-issues-02.txt>
_______________________________________________

I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux