On Wed, 25 Apr 2007, Jeroen Massar wrote:
> And how exactly do you propose spreading X.509 usage to endusers?
>> Do recall that $grandma doesn't know what it is, and can't care less
> either. And she sure is not going to change her mailsetup.
She doesn't care at all, yet she already has root certificates.
Provided by Microsoft and/or Mozilla. Those same two entities also
have coverage of just about all MUAs in use today.
(indeed, doesn't thunderbird support S/MIME already?)
(indeed, doesn't SMTP *already* have support for using X.509?)
> The point is that you can junk/trash/reject anything else and that
> those thousands of emails being spammed onto you only get accepted
> when the source domain acknowledges them. This also means that
> those bounces are not going to end up at the faked domain.
Ooh, yay, the "stop joe-job blowback" argument. Except blowback can
be rejected without *any* need for *any* new inter-organisational
protocols.
Any MTA can guard against blowback by just keeping some state,
*today*.
> "Subject" is a header. I personally do not care so much about it, some
> other people do.
Easily dealt with by just defining some mime-part to hold signature
of MUA-supplied headers. The fact no such mime part exists for PGP
suggests that perhaps no one cares.
> I also care that somebody isn't spoofing jeroen at unfix.org with
> their spamrobots or virusspreaders and then having people believe I
> actually send that message. Now when the message is signed they at
> least know that what send it at least had my PGP key so most likely
> is me.
You can have your MTA automatically apply some kind of
domain-signature, if you wished. I think the existing MIME stuff
could be used for that, if not, they could be defined.
If you really cared.
> So you do not mind receiving "Paul has been fired" as a subject line,
> further signed by the Linus Torvalds!? :)
If the MUA can make it clear the body is faked.. sure.
For the MUA-headers, see above. If you want it, can be done. No MTA
changes needed.
>> So you're saying ISPs are going to drop email based on lack of or
>> failling DKIM? Or that'll maintain per-user whitelists? Course not..
>> It'll be passed on for users' MUAs to do.
>> No. When a domain has specified a DKIM policy, the receiver will REJECT
> messages which are not DKIM signed and verified to be valid.
>> This avoids the message even getting delivered at all.
Ah, that's nice. I've no objections to publishing policy, you could
do the same for other types of authentication. However, given the
default policy in DKIM is "allow through", couldn't you just DoS the
DNS servers of the organisation you're phishing, while sending the
phish-bait?
Where I can find documentation on the policy publication stuff btw? I
havn't come across it yet in the RFCs. (half-way through the main
one).
> Just as a side-example, the annoying thing about Spam is not that
> it exists, but the quantities that you get them in and the amount
> of
Arg: The "Use false-advertising to generate hype" slight of hand.
DKIM will have /no/ effect on spam at all. Most spam will have
*valid* DKIM signatures, if DKIM is widely checked, just as most
today most valid SPF mail is spam.
> The end user doesn't need to do anything for DKIM. The ISP will do
> it for them. The end user could do it also of course, but they
> don't need to.
Ooh, wow, that sounds good. Tell me more, how will the ISP block all
those nasty phishing emails for their users? Whitelist you say? So
how will that work?
> Because it is not signed by the sending domain and thus didn't come
> from the originating domain and thus is faked and should not exist.
So my ISP is going to start rejecting non-DKIM signed email? Hmm,
won't I lose lots of my email that way? Might I, and many users like
me, not just move to another ISP?
> That I don't get a daily flood of replies from all kinds of places
> trying to state that they received all kinds of spam and virusses
> which never where send by me, but to them did look like they where
> sent by me.
Bogus argument: You dont need DKIM to prevent joe job blow-back. Just
have your MTA keep state about messages it has sent and reject
bounces which dont match that state (see SRS..). You don't need to
wait for ten years for *everyone else* to deploy DKIM to knock that
problem on the head.
If you prefer to wait ten years rather than modify your MTA, then you
don't /really/ care about blow-back, now do you?
> Because then the message is already delivered. I don't want my slow
> Eircom DSL link filled with thousands of messages that are not
> real.
Then you have the problem of co-ordinating policy between user and
provider.
> Which whitelist? The existence of a DKIM DNS entry tells you "when
> mail is not signed with DKIM it most likely does not come from
> here",
Ah. So you should check DNS for all emails? And drop non-DKIM?
I can see that being a popular policy amongst users of ISPs who
implement it.
regards,
--
Paul Jakma paul at clubi.iepaul at jakma.org Key ID: 64A2FF6A
Fortune:
If food be the music of love, eat up, eat up.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
