Embed Size (px)
Citation preview
A Trust Overlay for Email A Trust Overlay for Email Operations: Operations: DKIM and BeyondDKIM and Beyond
A Trust Overlay for Email A Trust Overlay for Email Operations: Operations: DKIM and BeyondDKIM and Beyond
Dave CrockerBrandenburg Internet Working
bbiw.net
Apricot / Perth 2006
Dave CrockerBrandenburg Internet Working
bbiw.net
Apricot / Perth 2006
D. Crocker Apricot 2006 / Trust Overlay22
We all know the problem…We all know the problem…We all know the problem…We all know the problem…
“Bad Actors” send spam, phishing, etc. Detecting them is a continuing battle We are stuck with a permanent arms race Existing tools are pretty good, but are not enough
Need an effort to identify “Good Actors” They try to follow reasonable rules They fix problems, when they make errors
“Bad Actors” send spam, phishing, etc. Detecting them is a continuing battle We are stuck with a permanent arms race Existing tools are pretty good, but are not enough
Need an effort to identify “Good Actors” They try to follow reasonable rules They fix problems, when they make errors
D. Crocker Apricot 2006 / Trust Overlay33
Trust OverlayTrust OverlayTrust OverlayTrust Overlay
Upgrade, without changing basic email Easy, open, direct communications still possible Permit spontaneous contact (no prior arrangement)
Add special procedures for Good Actors1. Identify “responsible” participant2. If they conform to community standards, then…3. Give their mail “streamlined” delivery processing
Upgrade, without changing basic email Easy, open, direct communications still possible Permit spontaneous contact (no prior arrangement)
Add special procedures for Good Actors1. Identify “responsible” participant2. If they conform to community standards, then…3. Give their mail “streamlined” delivery processing
D. Crocker Apricot 2006 / Trust Overlay44
1. Identify “Responsible” 1. Identify “Responsible” ParticipantParticipant1. Identify “Responsible” 1. Identify “Responsible” ParticipantParticipant
Types of identifiers IP Address of host or network operator Domain Name of user or operator Email address or author
Responsible for… Content – The author Message stream – An operator
Viable choices today IP Address SPF, Sender-ID (…) DKIM <http://dkim.org>
Types of identifiers IP Address of host or network operator Domain Name of user or operator Email address or author
Responsible for… Content – The author Message stream – An operator
Viable choices today IP Address SPF, Sender-ID (…) DKIM <http://dkim.org>
D. Crocker Apricot 2006 / Trust Overlay55
2a. Community Standards2a. Community Standards2a. Community Standards2a. Community Standards
Each receiver can have own preferences Tailor receive-side filtering criteria
Independent third-parties create own set
White-/Black- list services
Broad community consensus Laws (well, maybe…) Industry “best practises” (if we can agree)
Each receiver can have own preferences Tailor receive-side filtering criteria
Independent third-parties create own set
White-/Black- list services
Broad community consensus Laws (well, maybe…) Industry “best practises” (if we can agree)
D. Crocker Apricot 2006 / Trust Overlay66
2b. 2b. ConformConform to community to community standardsstandards2b. 2b. ConformConform to community to community standardsstandards
Pre-receipt assessment Build the lists (accreditation, reputation)
Receipt-time enforcement Integrate into filtering engine [Add special flag to user-visible display of
message]
Post-receipt correction Everyone makes mistakes, so compliance is
an ongoing challenge
Pre-receipt assessment Build the lists (accreditation, reputation)
Receipt-time enforcement Integrate into filtering engine [Add special flag to user-visible display of
message]
Post-receipt correction Everyone makes mistakes, so compliance is
an ongoing challenge
D. Crocker Apricot 2006 / Trust Overlay77
FilterFilter
The Pieces of TrustThe Pieces of TrustThe Pieces of TrustThe Pieces of Trust
ID / Signature VerificationID / Signature VerificationID / Signature VerificationID / Signature Verification
ID / Signature CreationID / Signature CreationID / Signature CreationID / Signature Creation
ID / Signer EvaluationID / Signer EvaluationID / Signer EvaluationID / Signer Evaluation
ID / Key QueryID / Key Query
Sender Signing PracticesSender Signing Practices
Sender AssessmentSender Assessment
MessagMessagee
MessagMessagee
MessageMessageMessageMessage
Internet
Administrative Domain
Administrative DomainOther TestsOther TestsOther TestsOther Tests
okok
not oknot ok
88
DomainKeys Identified Mail DomainKeys Identified Mail (DKIM) Overview: (DKIM) Overview: <http://dkim.org><http://dkim.org>
DomainKeys Identified Mail DomainKeys Identified Mail (DKIM) Overview: (DKIM) Overview: <http://dkim.org><http://dkim.org>
Lets an organization take responsibility for a message
Their reputation is basis for evaluating whether to deliver
Adds digital signature to a message, associating it with a domain name
Lets an organization take responsibility for a message
Their reputation is basis for evaluating whether to deliver
Adds digital signature to a message, associating it with a domain name
Multi-vendor specification
Derived from Yahoo DomainKeys and Cisco Identified Internet Mail
Stable signing specs available now!
Implementations, now!
IETF working group(!)
Refine and standardize
Multi-vendor specification
Derived from Yahoo DomainKeys and Cisco Identified Internet Mail
Stable signing specs available now!
Implementations, now!
IETF working group(!)
Refine and standardize
D. Crocker Apricot 2006 / Trust Overlay99
DKIM GoalsDKIM GoalsDKIM GoalsDKIM Goals
Msg header authentication
DNS identifiers Public keys in DNS
End-to-end Between
origin/receiver administrative domains.
Not path-based
Msg header authentication
DNS identifiers Public keys in DNS
End-to-end Between
origin/receiver administrative domains.
Not path-based
Transparent to end users
No client User Agent upgrades required
But extensible to per-user
Allow sender delegation
Outsourcing
Low development, deployment, use costs
No new, trusted third parties (except DNS)
Transparent to end users
No client User Agent upgrades required
But extensible to per-user
Allow sender delegation
Outsourcing
Low development, deployment, use costs
No new, trusted third parties (except DNS)
D. Crocker Apricot 2006 / Trust Overlay1010
Technical High-pointsTechnical High-pointsTechnical High-pointsTechnical High-points
Signs body and selected parts of header Signature transmitted in DKIM-Signature header
Public key stored in DNS In _domainkey subdomain New RR type planned, with fall-back to TXT
Domain Names sub-divided using “selectors” Allows multiple keys for aging, delegation, etc.
Sender Signing Practices Signer can publish its rules, such as requiring signing Allows lookup for missing or improper signature
Signs body and selected parts of header Signature transmitted in DKIM-Signature header
Public key stored in DNS In _domainkey subdomain New RR type planned, with fall-back to TXT
Domain Names sub-divided using “selectors” Allows multiple keys for aging, delegation, etc.
Sender Signing Practices Signer can publish its rules, such as requiring signing Allows lookup for missing or improper signature
D. Crocker Apricot 2006 / Trust Overlay1111
DKIM-Signature headerDKIM-Signature headerDKIM-Signature headerDKIM-Signature header
Example:DKIM-Signature: a=rsa-sha1; q=dns;d=example.com;[email protected];s=jun2005.eng; c=relaxed/simple;t=1117574938; x=1118006938;h=from:to:subject:date;b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb
av+yuU4zGeeruD00lszZVoG4ZHRNiYzR
DNS query will be made to:jun2005.eng._domainkey_domainkey.example.com
Example:DKIM-Signature: a=rsa-sha1; q=dns;d=example.com;[email protected];s=jun2005.eng; c=relaxed/simple;t=1117574938; x=1118006938;h=from:to:subject:date;b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb
av+yuU4zGeeruD00lszZVoG4ZHRNiYzR
DNS query will be made to:jun2005.eng._domainkey_domainkey.example.com
D. Crocker Apricot 2006 / Trust Overlay1212
Status and PleaStatus and PleaStatus and PleaStatus and Plea
Deployment is happening (slowly) http://mipassoc.org/deploy Open source versions, with more coming
DNS administration is difficult We hope to create tools to make it easier
Plea(s) Please join http://mipassoc.org/supporters.html list Please try available versions Please encourage progress in IETF working group
Deployment is happening (slowly) http://mipassoc.org/deploy Open source versions, with more coming
DNS administration is difficult We hope to create tools to make it easier
Plea(s) Please join http://mipassoc.org/supporters.html list Please try available versions Please encourage progress in IETF working group
D. Crocker Apricot 2006 / Trust Overlay1313
Discussion…Discussion…Discussion…Discussion…
D. Crocker Apricot 2006 / Trust Overlay1414
DeploymentDeploymentDeploymentDeployment
