draft-ietf-dkim-ssp-requirements-03.txt   draft-ietf-dkim-ssp-requirements-04.txt 
DKIM Working Group M. Thomas DKIM Working Group M. Thomas
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Informational March 6, 2007 Intended status: Informational April 23, 2007
Expires: September 7, 2007 Expires: October 25, 2007
Requirements for a DKIM Signing Practices Protocol Requirements for a DKIM Signing Practices Protocol
draft-ietf-dkim-ssp-requirements-03 draft-ietf-dkim-ssp-requirements-04
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 7, 2007. This Internet-Draft will expire on October 25, 2007.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
Abstract Abstract
DomainKeys Identified Mail (DKIM) provides a cryptographic mechanism DomainKeys Identified Mail (DKIM) provides a cryptographic mechanism
for domains to assert responsibility for the messages they handle. A for domains to assert responsibility for the messages they handle. A
related mechanism will allow an administrator to publish various related mechanism will allow an administrator to publish various
statements about their DKIM signing practices. This document defines statements about their DKIM signing practices. This document defines
requirements for this mechanism. requirements for this mechanism, distinguishing between those that
must be satisified (MUST), and those that are highly desirable
(SHOULD).
Requirements Language Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 6 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 6
3. SSP Problem Scenarios . . . . . . . . . . . . . . . . . . . . 7 3. SSP Problem Scenarios . . . . . . . . . . . . . . . . . . . . 7
3.1. Problem Scenario 1: All Mail Signed with DKIM . . . . . . 7 3.1. Problem Scenario 1: Is All Mail Signed with DKIM? . . . . 7
3.2. Problem Scenario 2: Illegitimate Domain Name Use . . . . . 8 3.2. Problem Scenario 2: Illegitimate Domain Name Use . . . . . 8
4. SSP Deployment Scenarios . . . . . . . . . . . . . . . . . . . 10 4. SSP Deployment Considerations . . . . . . . . . . . . . . . . 10
4.1. Deployment Scenario 1: Outsourced Signing . . . . . . . . 10 4.1. Deployment Consideration 1: Outsourced Signing . . . . . . 10
4.2. Deployment Scenario 2: Determinism in Lookup Mechanism 4.2. Deployment Consideration 2: Subdomain Coverage . . . . . . 10
and Subdomain Coverage . . . . . . . . . . . . . . . . . . 10 4.3. Deployment Consideration 3: Resent Original Mail . . . . . 10
4.3. Deployment Scenario 3: Resent Original Mail . . . . . . . 10 4.4. Deployment Consideration 4: Incremental Deployment of
4.4. Deployment Scenario 4: Incremental Deployment of
Signing . . . . . . . . . . . . . . . . . . . . . . . . . 11 Signing . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.5. Deployment Scenario 5: Transport Scenarios . . . . . . . . 11 4.5. Deployment Consideration 5: Performance and Caching . . . 11
4.6. Deployment Scenario 6: Human Legibility of Practices . . . 12 4.6. Deployment Consideration 6: Human Legibility of
4.7. Deployment Scenario 7: Cryptographic Downgrade Attacks . . 12 Practices . . . . . . . . . . . . . . . . . . . . . . . . 12
4.8. Deployment Scenario 8: Extensibility . . . . . . . . . . . 12 4.7. Deployment Consideration 7: Extensibility . . . . . . . . 12
4.9. Deployment Scenario 9: Security . . . . . . . . . . . . . 12 4.8. Deployment Consideration 8: Security . . . . . . . . . . . 12
5. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 13 5. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 13
5.1. Discovery Requirements . . . . . . . . . . . . . . . . . . 13 5.1. Discovery Requirements . . . . . . . . . . . . . . . . . . 13
5.2. SSP Transport Requirements . . . . . . . . . . . . . . . . 14 5.2. SSP Transport Requirements . . . . . . . . . . . . . . . . 14
5.3. Practice and Expectation Requirements . . . . . . . . . . 14 5.3. Practice and Expectation Requirements . . . . . . . . . . 14
5.4. Extensibility and Forward Compatibility Requirements . . . 17 5.4. Extensibility and Forward Compatibility Requirements . . . 16
6. Security Requirements . . . . . . . . . . . . . . . . . . . . 18 6. Security Requirements . . . . . . . . . . . . . . . . . . . . 18
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
8. Security Considerations . . . . . . . . . . . . . . . . . . . 20 8. Security Considerations . . . . . . . . . . . . . . . . . . . 20
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22
skipping to change at page 4, line 4 skipping to change at page 3, line 50
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
8. Security Considerations . . . . . . . . . . . . . . . . . . . 20 8. Security Considerations . . . . . . . . . . . . . . . . . . . 20
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22
10.1. Normative References . . . . . . . . . . . . . . . . . . . 22 10.1. Normative References . . . . . . . . . . . . . . . . . . . 22
10.2. Informative References . . . . . . . . . . . . . . . . . . 22 10.2. Informative References . . . . . . . . . . . . . . . . . . 22
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 23 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 23
Intellectual Property and Copyright Statements . . . . . . . . . . 24 Intellectual Property and Copyright Statements . . . . . . . . . . 24
1. Introduction 1. Introduction
DomainKeys Identified Mail [I-D.ietf-dkim-base]defines a message DomainKeys Identified Mail [I-D.ietf-dkim-base]defines a message
level signing and verification mechanism for email. While a DKIM level signing and verification mechanism for email. While a DKIM
signed message speaks for itself, there is ambiguity if a message signed message speaks for itself, there is ambiguity if a message
doesn't have a valid first party signature: is this to be expected or doesn't have a valid first party signature (ie, on behalf of the
not?. For email this is an especially difficult problem since there RFC2822.From address): is this to be expected or not? For email this
is no expectation of a priori knowledge of a sending domain's is an especially difficult problem since there is no expectation of a
practices. This ambiguity can be used to mount a bid down attack priori knowledge of a sending domain's practices. This ambiguity can
which is inherent with systems that allow optional authentication be used to mount a bid down attack which is inherent with systems
like email: if a receiver doesn't know otherwise, it should not that allow optional authentication like email: if a receiver doesn't
assume that the lack of a valid signature is a priori invalid. Thus, know otherwise, it should not assume that the lack of a valid
an attacker can take advantage of the ambiguity and simply not sign signature is exceptional without other information. Thus, an
attacker can take advantage of the ambiguity and simply not sign
messages. If a protocol could be developed for a domain to publish messages. If a protocol could be developed for a domain to publish
its DKIM signing practices, a message verifier could take that into its DKIM signing practices, a message verifier could take that into
account when it receives an unsigned piece of email. account when it receives an unsigned piece of email.
This document defines the requirements for a mechanism that permits This document defines the requirements for a mechanism that permits
the publication of Sender Signing Practices (SSP). The document is the publication of Sender Signing Practices (SSP). The document is
organized into two main sections: a Problem and Deployment Scenario organized into two main sections: a Problem and Deployment Scenario
section which describes the problems that SSP is intended to address section which describes the problems that SSP is intended to address
as well as the deployment issues surrounding the base problems. The as well as the deployment issues surrounding the base problems. The
second section is the Requirements that arise because of those second section is the Requirements that arise because of those
skipping to change at page 6, line 23 skipping to change at page 6, line 23
address is also known as an Author address address is also known as an Author address
o First Party Signature: a first party signature is a valid o First Party Signature: a first party signature is a valid
signature where the domain tag (d= or the more specific identity signature where the domain tag (d= or the more specific identity
i= tag) matches the first party address. "Matches" in this i= tag) matches the first party address. "Matches" in this
context is defined in [I-D.ietf-dkim-base] context is defined in [I-D.ietf-dkim-base]
o Third Party Signature: a third party signature is a valid o Third Party Signature: a third party signature is a valid
signature that does not qualify as a First Party Signature. Note signature that does not qualify as a First Party Signature. Note
that a DKIM third party signature is not required to correspond to that a DKIM third party signature is not required to correspond to
a third party address such as Sender or Listid, etc. a third party address such as Sender or List-Id, etc.
o Practice: a statement according to the [RFC2822].From domain o Practice: a statement according to the [RFC2822].From domain
holder of externally verifiable behavior in the email messages it holder of externally verifiable behavior in the email messages it
sends. A practice should always be true when received by a sends. A practice should always be true when received by a
topologically adjacent SMTP. topologically adjacent SMTP server.
o Expectation: an Expectation combines with a Practice to convey o Expectation: an Expectation combines with a Practice to convey
what the domain holder considers the likely survivability of the what the domain holder considers the likely survivability of the
Practice for a non-topologically adjacent receiver. Practice for a non-topologically adjacent receiver.
o DKIM Signing Complete: a Practice where the domain holder asserts o DKIM Signing Complete: a Practice where the domain holder asserts
that all legitimate mail will be sent with a valid First Party that all legitimate mail will be sent with a valid First Party
Signature. Signature.
3. SSP Problem Scenarios 3. SSP Problem Scenarios
The email world is a diverse place with many deployment scenarios. The email world is a diverse place with many deployment
This section tries to outline some usage scenarios that it is considerations. This section tries to outline some usage scenarios
expected that DKIM signing/verifying will take place in, and how a that it is expected that DKIM signing/verifying will take place in,
new protocol might be helpful to clarify the relevance of DKIM signed and how a new protocol might be helpful to clarify the relevance of
mail. DKIM signed mail.
3.1. Problem Scenario 1: All Mail Signed with DKIM 3.1. Problem Scenario 1: Is All Mail Signed with DKIM?
After auditing their outgoing mail and deploying DKIM signing for all After auditing their outgoing mail and deploying DKIM signing for all
of their legitimate outgoing mail, a domain could be said to be DKIM of their legitimate outgoing mail, a domain could be said to be DKIM
signing complete. That is, the domain has to the best of its ability signing complete. That is, the domain has to the best of its ability
insured that all mail legitimately purporting to have come from that ensured that all legitimate mail purporting to have come from that
domain contains a valid DKIM signature. domain contains a valid DKIM signature.
A receiver in the general case doesn't know what the practices are A receiver in the general case doesn't know what the practices are
for a given domain, or what their expectations are for unsigned mail. for a given domain. Thus the receiver is at a disadvantage in that
Thus the receiver is at a disadvantage in that it does not know if it it does not know if it should expect all mail to be signed from a
should expect mail to be signed from a given domain or not. This given domain or not. This knowledge gap leads to a trivially
knowledge gap leads to a trivially exploitable bid-down attack where exploitable bid-down attack where the attacker merely sends unsigned
the attacker merely sends unsigned mail; since the receiver doesn't mail; since the receiver doesn't know the practices of the signing
know the practices of the signing domain, it cannot treat the message domain, it cannot treat the message any more harshly for lack of a
any more harshly for lack of a valid signature. valid signature.
An information service which allowed a receiver to query for the An information service which allows a receiver to query for the
practices and expectations of the first party domain when no valid practices and expectations of the first party domain when no valid
first party signature is found could be useful in closing this gap. first party signature is found could be useful in closing this gap.
A receiver could use this information to treat such questionable mail A receiver could use this information to treat such questionable mail
with varying degrees of prejudice. with varying degrees of prejudice.
Note that for the foreseeable future, unrestricted use patterns of Note that for the foreseeable future, unrestricted use patterns of
mail (eg where users may be members of mailing lists, etc) will mail (eg where users may be members of mailing lists, etc) will
likely suffer occasional non-malicious signature failure in transit. likely suffer occasional non-malicious signature failure in transit.
While probably not a large percentage of total traffic, the kind of While probably not a large percentage of total traffic, the kind of
breakage may be a significant concern for those usage patterns. This breakage may be a significant concern for those usage patterns. This
scenario defines where the sender cannot set any expectation as to scenario defines where the sender cannot set any expectation as to
whether an individual message will arrive intact. whether an individual message will arrive intact.
Even without that expectation, a receiver may be able to take Even without that expectation, a receiver may be able to take
advantage of the knowledge that the domain's practice is to sign all advantage of the knowledge that the domain's practice is to sign all
mail and bias filters against unsigned or damaged in transit mail. mail and bias its filters against unsigned or damaged in transit
This information should not be expected to be used in a binary yes/no mail. This information should not be expected to be used in a binary
fashion, but instead as a data point among others in a filtering yes/no fashion, but instead as a data point among others in a
system. filtering system.
1. Mail with a [RFC2822].From A purportedly sends to B with a The following exchange illustrates problem scenario 1.
missing or broken DKIM first party signature from A
1. Mail with a [RFC2822].From A sends to B with a missing or broken
DKIM first party signature from A
2. B would like to know whether that is an expected state of 2. B would like to know whether that is an expected state of
affairs. affairs.
3. A provides information that it signs all outgoing mail, but 3. A provides information that it signs all outgoing mail, but
places no expectation on whether it will arrive with an intact places no expectation on whether it will arrive with an intact
first party signature. first party signature.
4. B could use this information to bias its filters such that it 4. B could use this information to bias its filters to examines the
looks somewhat more suspicious. message with some suspicion.
3.2. Problem Scenario 2: Illegitimate Domain Name Use 3.2. Problem Scenario 2: Illegitimate Domain Name Use
A class of mail typified by transactional mail from high value A class of mail typified by transactional mail from high value
domains is the target of phishing attacks. In particular, many domains is the target of phishing attacks. In particular, many
phishing scams forge the [RFC2822].From address in addition to phishing scams forge the [RFC2822].From address in addition to
spoofing much of the content to trick unsuspecting users into spoofing much of the content to trick unsuspecting users into
revealing sensitive information. Domain holders sending this kind of revealing sensitive information. Domain holders sending this kind of
mail would like the ability to give an enhanced guarantee that mail mail would like the ability to give an enhanced guarantee that mail
sent in their name should always arrive with the proof that the sent in their name should always arrive with the proof that the
domain holder consented to its transmission. That is, the message domain holder consented to its transmission. That is, the message
should contain a valid first party signature as defined above. should contain a valid first party signature as defined above.
From a receiver's standpoint, knowing that a domain not only signs From a receiver's standpoint, knowing that a domain not only signs
all of its mail, but places a very high value on the receipt of a all of its mail, but places a very high value on the receipt of a
valid first party signature from that domain is helpful. Hence a valid first party signature from that domain is helpful. Hence a
receiver can know that the domain not only signs all of its mail, but receiver can know that the domain not only signs all of its mail, but
also feels it essential that legitimate mail must have its first also feels it essential that legitimate mail must have its first
party signatures survive transit. A receiver with the knowledge of party signatures survive transit. A receiver with the knowledge of
the sender's expectations in hand might choose to process messages the sender's expectations in hand might choose to process messages
not conforming to the published practices in a special manner. not conforming to the published practices in a special manner. Note
that the ability to state an enhanced guarantee of a valid signature
means that senders should expect mail that traverses modifying
intermediaries (eg, mailing lists, etc) will be likely be quarantined
or deleted, thus this scenario is more narrow than problem scenario
1.
[Informative Note: in terms of a receiving filter, one may choose [Informative Note: in terms of a receiving filter, one may choose
to treat scenario 2 much more harshly than scenario 1; where to treat scenario 2 much more harshly than scenario 1; where
scenario 1 looks odd, scenario 2 looks like something is very scenario 1 looks odd, scenario 2 looks like something is very
wrong] wrong]
1. Mail with a [RFC2822].From A purportedly sends to B with a 1. Mail with a [RFC2822].From A purportedly sends to B with a
missing or broken first party DKIM signature from A missing or broken first party DKIM signature from A
2. B would like to know whether that is an expected state of 2. B would like to know whether that is an expected state of
affairs. affairs.
3. A provides information that it signs all outgoing mail, but 3. A provides information that it signs all outgoing mail, but
places an expectation that it should arrive with an intact first places an expectation that it should arrive with an intact first
party signature, and that the receiver should be suspicious if it party signature, and that the receiver should be much more wary
does not. if it does not.
4. B could use this information to bias its filters such that it 4. B could use this information to bias its filters such that it
looks much more suspicious. examines the message with great suspicion.
4. SSP Deployment Scenarios 4. SSP Deployment Considerations
Given the problems enumerated above for which we'd like SSP to Given the problems enumerated above for which we'd like SSP to
provide information to recipients, there are a number of scenarios provide information to recipients, there are a number of scenarios
that are not related to the problems that are to be solved, per se, that are not related to the problems that are to be solved, per se,
but the actual mechanics of implementing/deploying the information but the actual mechanics of implementing/deploying the information
service that SSP would provide. service that SSP would provide.
4.1. Deployment Scenario 1: Outsourced Signing 4.1. Deployment Consideration 1: Outsourced Signing
Many domains do not run their own mail infrastructure, or may Many domains do not run their own mail infrastructure, or may
outsource parts of it to third parties. It is desirable for a domain outsource parts of it to third parties. It is desirable for a domain
holder to have the ability delegate to other entities the ability to holder to have the ability delegate to other entities the ability to
sign for the domain holder. One obvious use scenario is a domain sign for the domain holder. One obvious use scenario is a domain
holder from a small domain that needs to have the ability for their holder from a small domain that needs to have the ability for their
outgoing ISP to sign all of their mail on behalf of the domain outgoing ISP to sign all of their mail on behalf of the domain
holder. Other use scenarios include outsourced bulk mail for holder. Other use scenarios include outsourced bulk mail for
marketing campaigns, as well as outsourcing various business marketing campaigns, as well as outsourcing various business
functions such as insurance benefits, etc. functions such as insurance benefits, etc.
4.2. Deployment Scenario 2: Determinism in Lookup Mechanism and 4.2. Deployment Consideration 2: Subdomain Coverage
Subdomain Coverage
SSP's client will generally be deployed on incoming mail streams to A SSP client will perform lookups on incoming mail streams to provide
provide the information as proposed in the problem scenarios. The the information as proposed in the problem scenarios. The domain
RFC2822.From address will be used as a basis for the lookup. More part of the first address of the RFC2822.From will form the basis to
precisely the domain part of the first address of the RFC2822.From fetch the published information. A trivial attack to circumvent
will form the trust basis to fetch the published information. A finding the published information can be mounted by simply using a
trivial attack to circumvent finding the published information could subdomain of the parent domain which doesn't have published
be mounted by simply using a subdomain of the parent which doesn't information. This attack is called the subdomain attack: that is, a
have published information. This attack is called the subdomain domain wants to not only publish a policy for a given DNS label it
attack: that is, a domain needs to not only publish a policy for a controls, but it would also like to protect all subdomains of that
given DNS label it controls, but it also may need to protect all label as well. If this characteristic is not met, an attacker would
subdomains of that label as well. If this characteristic is not met, need only create a possibly fictitious subdomain that was not covered
an attacker would need only create a possibly fictitious subdomain by SSP's information service. Thus, it would be advantageous for SSP
which was not covered by SSP's information service. Thus, it would to not only cover a given domain, but all subdomains of that domain
be advantageous for The Protocol to not only cover a given domain, as well.
but all subdomains of that domain as well.
4.3. Deployment Scenario 3: Resent Original Mail 4.3. Deployment Consideration 3: Resent Original Mail
Resent mail is a common occurrence in many scenarios in the email Resent mail is a common occurrence in many scenarios in the email
world of today. For example, Alice sends a DKIM signed message with world of today. For example, Alice sends a DKIM signed message with
a published practice of signing all messages to Bob's mailing list. a published practice of signing all messages to Bob's mailing list.
Bob, being a good net citizen, wants to be able to take his part of Bob, being a good net citizen, wants to be able to take his part of
the responsibility of the message in question, so he DKIM signs the the responsibility of the message in question, so he DKIM signs the
message, perhaps corresponding to the Sender address. message, perhaps corresponding to the Sender address.
Note that this scenario is completely orthogonal to whether Alice's Note that this scenario is completely orthogonal to whether Alice's
signature survived Bob's mailing list: Bob merely wants to assert his signature survived Bob's mailing list: Bob merely wants to assert his
part in the chain of accountability for the benefit of the ultimate part in the chain of accountability for the benefit of the ultimate
receivers. It would be useful for this practice to be encouraged as receivers. It would be useful for this practice to be encouraged as
it gives a more accurate view of who handled the message. It also it gives a more accurate view of who handled the message. It also
has the side benefit that remailers that are not friendly to DKIM has the side benefit that remailers that are not friendly to DKIM
first party signatures (ie, break them) can be potentially assessed first party signatures (ie, break them) can be potentially assessed
by the receiver based on the receiver's opinion of the signing by the receiver based on the receiver's opinion of the signing
domains that actually survived. domains that actually survived.
4.4. Deployment Scenario 4: Incremental Deployment of Signing 4.4. Deployment Consideration 4: Incremental Deployment of Signing
As a practical matter, it may be difficult for a domain to roll out As a practical matter, it may be difficult for a domain to roll out
DKIM signing such that they can publish the DKIM Signing Complete DKIM signing such that they can publish the DKIM Signing Complete
practice given the complexities of the user population, outsourced practice given the complexities of the user population, outsourced
vendors sending on its behalf, etc. This leaves open an exploit that vendors sending on its behalf, etc. This leaves open an exploit that
high-value mail such as in Problem Scenario 2 must be classified to high-value mail such as in Problem Scenario 2 must be classified to
the least common denominator of the published practices. It would be the least common denominator of the published practices. It would be
desirable to allow a domain holder to publish a list of exceptions desirable to allow a domain holder to publish a list of exceptions
which would have a stronger practices statement. which would have a more restrictive practices statement. NB: this
consideration has been deemed met by the mechanisms provided by the
base DKIM signing mechanism; it is merely documented here as having
been an issue.
For example, bigbank.example.com might be ready to say that For example, bigbank.example.com might be ready to say that
statements@bigbank.example.com is always signed, but the rest of the statements@bigbank.example.com is always signed, but the rest of the
domain, say, is not. Another situation is that the practices of some domain, say, is not. Another situation is that the practices of some
address local parts in a given domain are not the same as practices address local parts in a given domain are not the same as practices
of other local parts. Using the same example of of other local parts. Using the same example of
statements@bigbank.example.com being a transactional kind of email statements@bigbank.example.com being a transactional kind of email
which would like to publish very strong practices, mixed in with the which would like to publish very strong practices, mixed in with the
rest of the user population local parts which may go through mailing rest of the user population local parts which may go through mailing
lists, etc, for which a less strong statement is appropriate. lists, etc, for which a less strong statement is appropriate.
It should be said that DKIM, through the use of subdomains, can It should be said that DKIM, through the use of subdomains, can
already support this kind of differentiation. That is, in order to already support this kind of differentiation. That is, in order to
publish a strong practice, one only has to segregate those cases into publish a strong practice, one only has to segregate those cases into
different subdomains. For example: accounts.bigbank.example.com different subdomains. For example: accounts.bigbank.example.com
would publish constrained practices while would publish constrained practices while
corporateusers.bigbank.example.com might publish more permissive corporateusers.bigbank.example.com might publish more permissive
practices. practices.
4.5. Deployment Scenario 5: Transport Scenarios 4.5. Deployment Consideration 5: Performance and Caching
Email service provides an any-any mesh of potential connections: all Email service provides an any-any mesh of potential connections: all
that is required is the publication of an MX record and a SMTP that is required is the publication of an MX record and a SMTP
listener to receive mail. Thus the use of SSP is likely to fall into listener to receive mail. Thus the use of SSP is likely to fall into
two main scenarios, the first of which are large, well known domains two main scenarios, the first of which are large, well known domains
who are in constant contact with one another. In this case caching who are in constant contact with one another. In this case caching
of records is essential for performance, including the caching of the of records is essential for performance, including the caching of the
non-existence of records (ie, negative caching). non-existence of records (ie, negative caching).
The second main scenario is when a domain exchanges mail with a much The second main scenario is when a domain exchanges mail with a much
smaller volume domain. This scenario can be both perfectly normal as smaller volume domain. This scenario can be both perfectly normal as
with the case of vanity domains, and sadly a vector for those sending with the case of vanity domains, and sadly a vector for those sending
mail for anti-social reasons. In this case we'd like the burden to mail for anti-social reasons. In this case we'd like the message
SSP querier to be low, since many of the lookups will not provide a exchange burden to SSP querier to be low, since many of the lookups
useful answer. Likewise, it would be advantageous to have upstream will not provide a useful answer. Likewise, it would be advantageous
caching here as well so that, say, a mailing list exploder on a small to have upstream caching here as well so that, say, a mailing list
domain does not result in an explosion of queries back at the root exploder on a small domain does not result in an explosion of queries
server for the small domain. back at the root and authoritative server for the small domain.
4.6. Deployment Scenario 6: Human Legibility of Practices 4.6. Deployment Consideration 6: Human Legibility of Practices
While SSP records are likely to be primarily consumed by an While SSP records are likely to be primarily consumed by an
automaton, for the foreseeable future they are also likely to be automaton, for the foreseeable future they are also likely to be
inspected by hand. It would be nice to have the practices stated in inspected by hand. It would be nice to have the practices stated in
a fashion which is also intuitive to the human inspectors. a fashion which is also intuitive to the human inspectors.
4.7. Deployment Scenario 7: Cryptographic Downgrade Attacks 4.7. Deployment Consideration 7: Extensibility
There is a downgrade attack possible when a DKIM signature is hashed
with a previously acceptable but now insecure hash algorithm. This
could allow attackers to send their chosen text which is apparently
signed by the targeted domain. It would be advantageous for a domain
to publish what the allowable signing/hashing algorithms are to
prevent this downgrade attack.
4.8. Deployment Scenario 8: Extensibility
While this document pertains only to requirements surrounding DKIM While this document pertains only to requirements surrounding DKIM
signing practices, it would be beneficial for the protocol to be able signing practices, it would be beneficial for the protocol to be able
to extend to other protocols. to extend to other protocols.
4.9. Deployment Scenario 9: Security 4.8. Deployment Consideration 8: Security
SSP must be able to withstand life in a hostile open internet SSP must be able to withstand life in a hostile open internet
environment. These include DoS attacks, and especially DoS attacks environment. These include DoS attacks, and especially DoS attacks
that leverage themselves through amplification inherent in the that leverage themselves through amplification inherent in the
protocol. In addition, while a useful protocol may be built without protocol. In addition, while a useful protocol may be built without
strong source authentication provided by the information service, a strong source authentication provided by the information service, a
path to strong source authentication should be provided by the path to strong source authentication should be provided by the
protocol, or underlying protocols. protocol, or underlying protocols.
5. Requirements 5. Requirements
skipping to change at page 13, line 32 skipping to change at page 13, line 32
2. In order to limit the cost of its use, any query service 2. In order to limit the cost of its use, any query service
supplying SSP's information MUST provide a definitive responsive supplying SSP's information MUST provide a definitive responsive
within a small, deterministic number of query exchanges. within a small, deterministic number of query exchanges.
[Informative Note: this, for all intents and purposes is a [Informative Note: this, for all intents and purposes is a
prohibition on anything that might produce loops or result in prohibition on anything that might produce loops or result in
extended delays and overhead; also though "deterministic" extended delays and overhead; also though "deterministic"
doesn't specify how many exchanges, the expectation is "few".] doesn't specify how many exchanges, the expectation is "few".]
[Refs: Deployment Scenario 2] [Refs: Deployment Considerations 2, 5]
3. SSP's publishing mechanism MUST be defined such that it does not 3. SSP's publishing mechanism MUST be defined such that it does not
lead to multiple records of different protocols residing at the lead to multiple records of different protocols residing at the
same location. same location.
[Informative note: An example is multiple resource record of [Informative note: An example is multiple resource record of
the same type within a common DNS leaf. Hence, uniquely the same type within a common DNS leaf. Hence, uniquely
defined leaf names or uniquely defined resource record types defined leaf names or uniquely defined resource record types
will ensure unambiguous reference.] will ensure unambiguous reference.]
[Refs: Deployment Scenario 2] [Refs: Deployment Consideration 2]
4. SSP must be capable of providing coverage for not only the domain 4. SSP retrieval SHOULD provide coverage for not only a given domain
but all of its subdomains as well. If all subdomains cannot be but all of its subdomains as well. The process of obtaining the
directly associated with the parent's information, the protocol parent domain's practices MUST complete in a deterministic number
MUST be able to communicate that the domain name is suspicious. of steps. It is recognized that there is some reasonable doubt
The process of obtaining the parent domain's practices MUST about the feasibility of a widely accepted solution to this
complete in a deterministic number of steps, preferably few. In requirement. If the working group does not achieve rough
widening the scope to have the possibility of all subdomains consensus on a solution, it MUST document the relevant security
inherit the parent practice, a number of algorithms could be considerations in the protocol specification.
employed -- all seemingly with their own set of engineering
tradeoffs. A common theme in the production of this document was
that the number of lookups, on average should be small, and that
the discovery process should always be bound to some small finite
number of queries.
[Refs: Deployment Scenario 2 [Refs: Deployment Considerations 2, 5
5.2. SSP Transport Requirements 5.2. SSP Transport Requirements
The publication and query mechanism will operate over the Internet The publication and query mechanism will operate as an an internet-
message exchange. This lower layer service must exhibit basic based message exchange. There are multiple requirements for this
characteristics: lower layer service:
1. Widespread deployment of the transport layer would be highly 1. The exchange SHOULD have existing widespread deployment of the
desirable, especially if riding on top of a true transport layer transport layer, especially if riding on top of a true transport
(eg, TCP, UDP). layer (eg, TCP, UDP).
[Refs: Deployment Scenario 5, 8] [Refs: Deployment Considerations 5, 7]
2. A low-cost query/response in terms of latency time and the number 2. The query/response in terms of latency time and the number of
of packets involved is highly desirable. packets involved MUST be low (order of 1 or 2 exchanges).
[Refs: Deployment Scenario 5] [Refs: Deployment Consideration 5]
3. If the infrastructure doesn't provide caching (ala DNS), the 3. If the infrastructure doesn't provide caching (ala DNS), the
records retrieved will need time-to-live values to allow querying records retrieved MUST provide initiators the ability maintain
verifiers to maintain their own caches. Existing caching their own cache. Existing caching infrastructure is, however,
infrastructure is, however, highly desirable. highly desirable.
[Refs: Deployment Scenario 5] [Refs: Deployment Consideration 5]
4. Multiple geographically and topologically diverse servers must be 4. Multiple geographically and topologically diverse servers MUST be
supported for high availability supported for high availability
[Refs: Deployment Scenario 5, 8] [Refs: Deployment Considerations 5, 7]
5.3. Practice and Expectation Requirements 5.3. Practice and Expectation Requirements
As stated in the definitions a Practice is a statement according to As stated in the definitions a Practice is a statement according to
the [RFC2822].From domain holder of externally verifiable behavior in the [RFC2822].From domain holder of externally verifiable behavior in
the email messages it sends. As a silly example, a Practice might be the email messages it sends. As an example, a Practice might be
defined that all email messages will contain an X-Silly header. defined that all email messages will contain a DKIM signature
Since there is a possibility of alteration between what a sender corresponding to the RFC2822.From address. Since there is a
sends and a receiver examines, an Expectation combines with a possibility of alteration between what a sender sends and a receiver
Practice to convey what the domain holder considers the likely examines, an Expectation combines with a Practice to convey what the
outcome of the survivability of the Practice for at a receiver. For RFC2822.From domain considers the likely outcome of the survivability
example, a Practice that X-Silly is present when it is sent from the of the Practice at a receiver. For example, a Practice that a valid
domain, and an Expectation that it will remain present for receivers DKIM for the RFC2822.From address is present when it is sent from the
whether topologically adjacent or not. domain, and an Expectation that it will remain present and valid for
all receivers whether topologically adjacent or not.
1. SSP MUST be able to make Practices and Expectation assertions 1. SSP MUST be able to make Practices and Expectation assertions
about the [RFC2822].From address in the context of DKIM. SSP about the domain part of a [RFC2822].From address in the context
will not make assertions about other addresses for DKIM at this of DKIM. SSP will not make assertions about other addresses for
time. DKIM at this time.
[Refs: Problem Scenario 1,2] [Refs: Problem Scenarios 1,2]
2. SSP MUST provide a concise linkage between the [RFC2822].From 2. SSP MUST provide a concise linkage between the [RFC2822].From
and the identity in the DKIM i= tag, or its default if it is and the identity in the DKIM i= tag, or its default if it is
missing in the signature. That is, SSP MUST precisely define missing in the signature. That is, SSP MUST precisely define
the semantics of what qualifies as a First Party Signature. the semantics of what qualifies as a First Party Signature.
[Refs: Problem Scenario 1,2] [Refs: Problem Scenarios 1,2]
3. SSP MUST be able to publish a Practice that the domain's signing 3. SSP MUST be able to publish a Practice that the domain's signing
behavior is "DKIM Signing Complete". That is, all messages were behavior is "DKIM Signing Complete". That is, all messages were
transmitted with a valid first party signature. transmitted with a valid first party signature.
[Refs: Problem Scenario 1] [Refs: Problem Scenario 1]
4. SSP MUST be able to publish an Expectation that a verifiable 4. SSP MUST be able to publish an Expectation that a verifiable
first party DKIM Signature should be expected on receipt of a first party DKIM Signature should be expected on receipt of a
message. message.
[Refs: Problem Scenario 2] [Refs: Problem Scenario 2]
5. Practices and Expectations MUST be presented in SSP syntax using 5. Practices and Expectations MUST be presented in SSP syntax using
as intuitive a descriptor as possible. For example, p=? would as intuitive a descriptor as possible. For example, p=? would
be better represented as p=unknown. be better represented as p=unknown.
[Refs: Deployment Scenario 6] [Refs: Deployment Consideration 6]
6. Because DKIM uses DNS to store selectors, there is always the 6. Because DKIM uses DNS to store selectors, there is always the
ability for a domain holder to delegate all or parts of the ability for a domain holder to delegate all or parts of the
_domainkey subdomain to an affiliated party of the domain _domainkey subdomain to an affiliated party of the domain
holder's choosing. That is, the domain holder may be able to holder's choosing. That is, the domain holder may set an NS
set a NS record for _domainkey.example.com to, say, an email record for _domainkey.example.com to delegate to an email
provider who manages that namespace. There is also the ability provider who manages the entire namespace. There is also the
for the domain holder to partition its namespace into subdomains ability for the domain holder to partition its namespace into
to further constrain third parties. For example, a domain subdomains to further constrain third parties. For example, a
holder could delegate only _domainkey.benefits.example.com to a domain holder could delegate only
third party to constrain the third party to only be able to _domainkey.benefits.example.com to a third party to constrain
produce valid signatures in the benefits.example.com subdomain. the third party to only be able to produce valid signatures in
Last, a domain holder can even use CNAME's to delegate the benefits.example.com subdomain. Last, a domain holder can
individual leaf nodes. Thus SSP need not invent a different even use CNAME's to delegate individual leaf nodes. Given the
means of allowing affiliated parties to sign on a domain's above considerations, SSP need not invent a different means of
behalf at this time. allowing affiliated parties to sign on a domain's behalf at this
time.
[Refs: Deployment Consideration 4]
7. Practices and Expectations MUST be presented as an information 7. Practices and Expectations MUST be presented as an information
service from the signing domain to be consumed as an added service from the signing domain to be consumed as an added
factor to the receiver's local policy. In particular, a factor to the receiver's local policy. In particular, a
Practice or Expectation MUST NOT mandate any disposition stance Practice or Expectation MUST NOT mandate any disposition stance
on the receiver. on the receiver.
[Refs: Problem Scenario 1, 2, 3] [Refs: Problem Scenarios 1, 2]
8. There is no requirement that SSP publish a Practices of any/all 8. There is no requirement that SSP publish a Practices of any/all
third parties that MUST NOT sign on the domain holder's behalf. third parties that MUST NOT sign on the domain holder's behalf.
This should be considered out of scope. This should be considered out of scope.
[INFORMATIVE NOTE: this is essentially saying that the [INFORMATIVE NOTE: this is essentially saying that the
protocol doesn't have to concern itself with being a protocol doesn't have to concern itself with being a
blacklist repository.] blacklist repository.]
[Refs: Problem Scenario 1-2] [Refs: Problem Scenarios 1,2]
9. SSP MUST NOT be required to be invoked if a valid first party 9. SSP MUST NOT be required to be invoked if a valid first party
signature is found. signature is found.
[Refs: Deployment Scenario 2] [Refs: Deployment Consideration 2]
10. [PROVISIONAL] The signing policy statement MUST be capable of
fully describing a signing practice in which multiple signatures
are always provided such that the policy is of utility to any
verifier is capable of verifying any of the signatures that are
always provided. Such a mechanism MUST NOT:
* Require the verifier to perform any additional DNS lookups
* Require duplication of configuration data
* In particular not require the policy record to provide for
the description of any cryptographic or cannonicalization
algorithm
INFORMATIVE NOTE: The ability to specify multiple signatures
is necessary in order to permit orderly transitions to new
cryptographic and canonicalization algorithms. Unless the
policy language is not sufficiently expressive to allow the
signer to describe the actual signature practice in this case
there is an opportunity for an attacker to exploit the fact
that there are verifiers that do not yet support the new
algorithm.
[Refs: Deployment Scenario 7]
11. SSP MUST NOT provide a mechanism which impugns the existence of 10. SSP MUST NOT provide a mechanism which impugns the existence of
non-first party signatures in a message. A corollary of this non-first party signatures in a message. A corollary of this
requirement is that the protocol MUST NOT link practices of requirement is that the protocol MUST NOT link practices of
first party signers with the practices of third party signers. first party signers with the practices of third party signers.
[INFORMATIVE NOTE: the main thrust of this requirement is [INFORMATIVE NOTE: the main thrust of this requirement is
that practices should only be published for that which the that practices should only be published for that which the
publisher has control, and should not meddle in what is publisher has control, and should not meddle in what is
ultimately the local policy of the receiver.] ultimately the local policy of the receiver.]
[Refs: Deployment Scenario 3] [Refs: Deployment Consideration 3]
5.4. Extensibility and Forward Compatibility Requirements 5.4. Extensibility and Forward Compatibility Requirements
1. SSP MUST NOT extend to any other protocol than DKIM for email at 1. SSP MUST NOT extend to any other protocol than DKIM for email at
this time. SSP SHOULD be able to extend for protocols other than this time. SSP SHOULD be extensible for protocols other than
DKIM. DKIM.
[Refs: Deployment Scenario 8] [Refs: Deployment Consideration 7]
2. SSP MUST be able to add new Practices and Expectations within the 2. SSP MUST be able to add new Practices and Expectations within the
existing discovery/transport/practices in a backward compatible existing discovery/transport/practices in a backward compatible
fashion. fashion.
[Refs: Deployment Scenario 8] [Refs: Deployment Consideration 7]
6. Security Requirements 6. Security Requirements
1. Minimize DoS potential: SSP for a high-value domain is 1. SSP for a high-value domain is potentially a high-value DoS
potentially a high-value DoS target, especially since the target, especially since the unavailability of SSP's record could
unavailability of SSP's record could make unsigned messages less make unsigned messages less suspicious.
suspicious.
2. Amplification Attacks: SSP MUST NOT make highly leveraged
amplification or make-work attacks possible. In particular any
amplification must be O(1).
[Author's question: is it really O(1)? or O(n)?] 2. SSP MUST NOT make highly leveraged amplification or make-work
attacks possible. In particular the work and message exchanges
involved MUST be order of a constant.
[Refs: Deployment Scenario 9] [Refs: Deployment Consideration 8]
3. Authenticity: SSP MUST have the ability for a domain holder to 3. SSP MUST have the ability for a domain holder to provide SSP's
provide SSP's data such that a receiver can determine that it is data such that a receiver can determine that it is authentically
authentically from the domain holder with a large degree of from the domain holder with a large degree of certainty. SSP may
certainty. SSP may provide means which provide less certainty in provide means which provide less certainty in trade off for ease
trade off for ease of deployment. of deployment.
[Refs: Deployment Scenario 9] [Refs: Deployment Consideration 8]
7. IANA Considerations 7. IANA Considerations
This document makes no request of IANA. This document makes no request of IANA.
Note to RFC Editor: this section may be removed on publication as an Note to RFC Editor: this section may be removed on publication as an
RFC. RFC.
8. Security Considerations 8. Security Considerations
This document defines requirements for a new protocol and the This document defines requirements for a new protocol and the
security related requirements are defined above. There is an security related requirements are defined above. There is an
expectation that SSP will not always be required to have source expectation that SSP will not always be required to have source
authentication of the practices information which is noteworthy. authentication of the practices information which is noteworthy.
9. Acknowledgments 9. Acknowledgments
Due to flipping in the market and raising interest rates, this home Dave Crocker and Jim Fenton provided substantial review of this
is no longer free. Dave Crocker and Jim Fenton helped me raise the document.
walls on this document and are accorded a room at the inn. The inn
is not yet full, however.
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.ietf-dkim-base] [I-D.ietf-dkim-base]
Allman, E., "DomainKeys Identified Mail (DKIM) Allman, E., "DomainKeys Identified Mail (DKIM)
Signatures", draft-ietf-dkim-base-04 (work in progress), Signatures", draft-ietf-dkim-base-04 (work in progress),
July 2006. July 2006.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2822] Resnick, P., "Internet Message Format", RFC 2822, [RFC2822] Resnick, P., "Internet Message Format", RFC 2822,
April 2001. April 2001.
10.2. Informative References 10.2. Informative References
[I-D.ietf-dkim-overview]
Hansen, T., "DomainKeys Identified Mail (DKIM) Service
Overview", draft-ietf-dkim-overview-01 (work in progress),
June 2006.
[I-D.ietf-dkim-threats]
Fenton, J., "Analysis of Threats Motivating DomainKeys
Identified Mail (DKIM)", draft-ietf-dkim-threats-03 (work
in progress), May 2006.
Author's Address Author's Address
Michael Thomas Michael Thomas
Cisco Systems Cisco Systems
606 Sanchez St 606 Sanchez St
San Francisco, California 94114 San Francisco, California 94114
USA USA
Phone: +1-408-525-5386 Phone: +1-408-525-5386
Fax: +1-408-525-5386 Fax: +1-408-525-5386
 End of changes. 70 change blocks. 
219 lines changed or deleted 179 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/