Pilot project proposal: AffiL Affiliated domain names for trust Dave Crocker Brandenburg InternetWorking bbiw.net

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

Fighting Abuse with Trust: Enhancing the paradigm Dave Crocker Trusted Domain Project (trusteddomain.org) Brandenburg InternetWorking (bbiw.net) FCC ~

Proposal for a Pilot Project: Using DKIM to Create a Trust Channel Dave Crocker Brandenburg InternetWorking bbiw.net Dave Crocker Brandenburg InternetWorking.

Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

How Will Authentication Reduce Global Spam? OECD Anti-Spam Task Force Pusan – September, 2004 Dave Crocker Brandenburg InternetWorking OECD Anti-Spam Task.

© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.

DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

Proxy Authentication of the Emergency Status of SIP Calls draft-barnes-ecrit-auth-00 Richard Barnes IETF 69, Chicago, IL, USA.

DomainKeys Identified Mail (DKIM) D. Crocker ~ bbiw.net dkim.org  Consortium spec Derived from Yahoo DomainKeys and Cisco Identified Internet Mail  IETF.

DomainKeys Identified Mail (DKIM) D. Crocker Brandenburg InternetWorking mipassoc.org/mass  Derived from Yahoo DomainKeys and Cisco.

CSCI 6962: Server-side Design and Programming

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Identity Based Sender Authentication for Spam Mitigation Sufian Hameed (FAST-NUCES) Tobias Kloht (University of Goetingen) Xiaoming Fu (University.

OSIAM4HE Proposed org structure Authored by the strategy and organization team.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.

Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.

Wireless and Security CSCI 5857: Encoding and Encryption.

DNS-based Message-Transit Authentication Techniques D. Crocker Brandenburg InternetWorking D. Crocker Brandenburg InternetWorking.

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Authentications INBOX Authentication Panel San Jose, CA – 2004 Dave Crocker Brandenburg InternetWorking INBOX Authentication Panel San Jose, CA –

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Certified Server Validation (CSV) “ An MTA is talking to me directly. Are they OK?” D. Crocker Brandenburg InternetWorking mipassoc.org/csv 10/8/2015 6:36.

A Trust Overlay for Operations: DKIM and Beyond Dave Crocker Brandenburg Internet Working bbiw.net Apricot / Perth 2006 Dave Crocker Brandenburg.

1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

MASS / DKIM BOF IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass MIPA.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

(Business) Process Centric Exchanges

IETF - LTANS, March 2004P. Sylvester, Edelweb & A. Jerman Blazic, SETCCE Introduction The following slides were prepared as a result of analysis and discussion.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

QUALCOMM Incorporated 1 Protocol Options for BSN- BSMCS Controller Interface Jun Wang, Kirti Gupta 05/16/2005 Notice: Contributors grant a free, irrevocable.

IETF 65, Dallas, TX1 Introduction to SSP Jim Fenton 22 March 2006.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

A Retrospective on Future Anti-Spam Standards Internet Society of China Beijing – September, 2004 Dave Crocker Brandenburg InternetWorking

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

Lifecycle Metadata for Digital Objects October 18, 2004 Transfer / Authenticity Metadata.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

Matej Bel University Cascaded signatures Ladislav Huraj Department of Computer Science Faculty of Natural Sciences Matthias Bel University Banska Bystrica.

SAML FTF #4 Workitems Bob Blakley. SAML “SenderVouches” SubjectConfirmation Method: A Proposed Alternative to Bindings 0.5 Proposals.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

Identity Proofing, Signatures, & Encryption in Direct esMD Author of Record Workgroup John Hall Coordinator, Direct Project June 13, 2012.

DIGITAL SIGNATURE.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

Establishing authenticated channels and secure identifiers in ad-hoc networks Authors: B. Sieka and A. D. Kshemkalyani (University of Illinois at Chicago)

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

E-Authentication & Authorization Presentation to the EA2 Task Force March 6, 2007.

Proposal for DKIM Pilot Project: Making Authentication Useful Dave Crocker Brandenburg InternetWorking Dave Crocker Brandenburg InternetWorking.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.

Timeline – Standards & Requirements

Verstat Related Best Practices

Choosing the Discovery Model Martin Forsberg

Message Digest Cryptographic checksum One-way function Relevance

Murray S. Kucherawy REPUTE Extra Topics Murray S. Kucherawy

The Attribute and the ecosystem

MASS BOF IETF63, Paris 4 August 2005

Presentation transcript:

Pilot project proposal: AffiL Affiliated domain names for trust Dave Crocker Brandenburg InternetWorking bbiw.net

2 2 D. CrockerAffiL Proposal Identification – IP vs. Domain IP  Pros  Can be at SMTP time  Lots of existing practice  High granularity  Cons  Dynamic  Not portable  Shared among senders  Tied to machine, not org.IP  Pros  Can be at SMTP time  Lots of existing practice  High granularity  Cons  Dynamic  Not portable  Shared among senders  Tied to machine, not org. Domain Names  Pros  Aligns better with org  Long-term stability  Less long-term admin  Can be delegated  Cons  Must wait for message header to be transmitted  More complex software Domain Names  Pros  Aligns better with org  Long-term stability  Less long-term admin  Can be delegated  Cons  Must wait for message header to be transmitted  More complex software

3 3 D. CrockerAffiL Proposal DKIM – Identify a Responsible Party RFC 4871 Goals  Any handler can sign  Compatible/transparent with existing infrastructure  Minimal new infrastructure  Implemented independently of MUA clients  Deployed incrementally  Permit delegation of signing to third parties (non-authors)Goals  Any handler can sign  Compatible/transparent with existing infrastructure  Minimal new infrastructure  Implemented independently of MUA clients  Deployed incrementally  Permit delegation of signing to third parties (non-authors)Non-Goals  No linkage to other ID field  No assertions about behaviors of signing identity  Not directions to receivers  No protection after signature verification.  No re-play protection  Transit intermediary or a recipient can re-post the messageNon-Goals  No linkage to other ID field  No assertions about behaviors of signing identity  Not directions to receivers  No protection after signature verification.  No re-play protection  Transit intermediary or a recipient can re-post the message

4 4 D. CrockerAffiL Proposal Authentication is Useless…  … by itself  We all say this, but do we appreciate what it really means?  We often say: If you have a validated name, you can make simple decisions for folks you know.  After all, you already know that I’m a great guy…  But this means really means you’ve gone beyond simple authentication… into reputation.  This added layer is a barrier to adoption of authentication!  Must have a reputation step, before an adopter gets value.  Potential adopters of authentication are waiting for compelling and immediate utility that is turnkey.  … by itself  We all say this, but do we appreciate what it really means?  We often say: If you have a validated name, you can make simple decisions for folks you know.  After all, you already know that I’m a great guy…  But this means really means you’ve gone beyond simple authentication… into reputation.  This added layer is a barrier to adoption of authentication!  Must have a reputation step, before an adopter gets value.  Potential adopters of authentication are waiting for compelling and immediate utility that is turnkey.

5 5 D. CrockerAffiL Proposal Trust can be a separate channel FilterFilter Receiver is on their own: Forced to guess FilterFilter FilterFilter Sender/Receiver collaboration

6 6 D. CrockerAffiL Proposal Recipe for Trust  Identification generated by ‘sender’  Validation it really is them  Assessment of the sender’s worthiness  Reputation of goodness/badness  Attributes  Reputation  [ Multiple assessments  filter ]  Identification generated by ‘sender’  Validation it really is them  Assessment of the sender’s worthiness  Reputation of goodness/badness  Attributes  Reputation  [ Multiple assessments  filter ] Author DKIMDKIM ValidatingSigning Identity Assessor Responsible Identity Handling Filter Recipient

7 7 D. CrockerAffiL Proposal Can a simple project help?  Some utility, based on authentication  Without prior sender/receiver arrangement  Goals  Simple, useful  Not compete with “reputation” services…  Possibly serve as a template for others  Proposal  Affiliations List (AffiL): “belonging” not “goodness”  Spec: mipassoc.org/affil  Some utility, based on authentication  Without prior sender/receiver arrangement  Goals  Simple, useful  Not compete with “reputation” services…  Possibly serve as a template for others  Proposal  Affiliations List (AffiL): “belonging” not “goodness”  Spec: mipassoc.org/affil

8 8 D. CrockerAffiL Proposal Affiliations List (AffiL)  Pilot project  Create an trust domain among member institutions to permit streamlined filter handling.  Demonstrate utility of validated affiliations list  Publish a list of affiliations (membership)  Membership can be a meaningful “indication” of Goodness  Might publish related attributes, like type of institution  Assessor might interpret favorably, but not give message a free pass  Could be template for other organizations to use  Pilot project  Create an trust domain among member institutions to permit streamlined filter handling.  Demonstrate utility of validated affiliations list  Publish a list of affiliations (membership)  Membership can be a meaningful “indication” of Goodness  Might publish related attributes, like type of institution  Assessor might interpret favorably, but not give message a free pass  Could be template for other organizations to use

9 9 D. CrockerAffiL Proposal Example Affiliations  FDIC member organization  Sent from the US Senate  Better Business Bureau member  ISOI attendee  DMA member  FDIC member organization  Sent from the US Senate  Better Business Bureau member  ISOI attendee  DMA member  Authorized 3 rd- party agent of purported author  Domain name (actually) owned by the most spoofed company  Authorized 3 rd- party agent of purported author  Domain name (actually) owned by the most spoofed company

10 D. CrockerAffiL Proposal Project Details  Write charter for project  Define expected use by assessment engine  Agree on list semantics  Evaluate legal implications  Document and publish it  Write charter for project  Define expected use by assessment engine  Agree on list semantics  Evaluate legal implications  Document and publish it  Obtain agreements to publish  Define DNS/VBR* query format  Begin operation  Document the project  Recruit spamassassin and other users of list  Obtain agreements to publish  Define DNS/VBR* query format  Begin operation  Document the project  Recruit spamassassin and other users of list * VBR: Vouch by Reference

11 D. CrockerAffiL Proposal Attributes in an Entry  Domain name  Associated name of organization  Member attributes, such as  Type of membership  Duration of membership  Security policies  …  Domain name  Associated name of organization  Member attributes, such as  Type of membership  Duration of membership  Security policies  …

12 D. CrockerAffiL Proposal Your turn…  Interest?  Idea of membership lists  Participation in pilot project  Concerns?  Interest?  Idea of membership lists  Participation in pilot project  Concerns?