DKIM Policy Proposals. 3 Proposals ‘A La Carte’ Discovery Mechanism RISC Policy Description –Its (almost) all in the Key Records RISC Policy Description.

Slides:



Advertisements
Similar presentations
Security Issues In Mobile IP
Advertisements

W3C SML F2F XML Schema 1.1 Sandy Gao, IBM.
Web Service Security CS409 Application Services Even Semester 2007.
Authentication Approaches Phillip Hallam-Baker VeriSign Inc.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
Database Update Kaveh Ranjbar Database Department Manager, RIPE NCC.
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
DKIM WG IETF-67 DKIM Originating Signing Policy Douglas Otis
1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.
IMF Mihály Andó IT-IS 6 November Mihály Andó 2 / 11 6 November 2006 What is IMF? ­ Intelligent Message Filter ­ provides server-side message filtering,
CS470, A.Selcuk Security1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Lecture 22 Internet Security Protocols and Standards
Types of Requirements  Functional Requirements  Descriptions of actions or processes that create or update information.  Outlines of reports or on-line.
Sender policy framework. Note: is a good reference source for SPFhttp://
Simple Mail Transfer Protocol (SMTP) Team: Zealous Team: Zealous Presented By: Vishal Parikh ( ) Vishal Parikh ( ) Ribhu Pathria( )
Application of Attribute Certificates in S/MIME Greg Colla & Michael Zolotarev Baltimore Technologies 47 th IETF Conference Adelaide, March 2000.
DomainKeys Identified Mail (DKIM) D. Crocker ~ bbiw.net dkim.org  Consortium spec Derived from Yahoo DomainKeys and Cisco Identified Internet Mail  IETF.
DomainKeys Identified Mail (DKIM) D. Crocker Brandenburg InternetWorking mipassoc.org/mass  Derived from Yahoo DomainKeys and Cisco.
Introducing SEG V4 Clearswift.
Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.
Pilot project proposal: AffiL Affiliated domain names for trust Dave Crocker Brandenburg InternetWorking bbiw.net
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
© 2007 Convio, Inc. Implementation of Yahoo DomainKeys Bill Pease, Chief Scientist Convio.
Login Screen This is the Sign In page for the Dashboard New User Registration Enter Id and Password to sign In.
Masud Hasan Secue VS Hushmail Project 2.
DNS-based Message-Transit Authentication Techniques D. Crocker Brandenburg InternetWorking D. Crocker Brandenburg InternetWorking.
Defending DKIM IETF 65 Threats and Strategies Douglas Otis
DKIM Reporting Murray S. Kucherawy. The Problems to Solve Senders want to know when their brands are being violated –Mail being forged as coming from.
A Trust Overlay for Operations: DKIM and Beyond Dave Crocker Brandenburg Internet Working bbiw.net Apricot / Perth 2006 Dave Crocker Brandenburg.
MASS / DKIM BOF IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass MIPA.
IETF 65, Dallas, TX1 Introduction to SSP Jim Fenton 22 March 2006.
Slide 1 © 2004 Reactivity The Gap Between Reliability and Security Eric Gravengaard Reactivity.
SPF/Sender-ID DNS & DDoS Threats Operations Analysis and Research Center for the Internet Douglas Otis November 3, 2007
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
 A Web service is a method of communication between two electronic devices over World Wide Web.
IETF-64 DKIM BoF BoF Chairs Stephen Farrell Barry Leiba Domain Keys Identified Mail draft charter, mailing.
SPF/Sender-ID DNS & DDoS Threats Internet Security Operations and Intelligence II Douglas Otis
Identity Proofing, Signatures, & Encryption in Direct esMD Author of Record Workgroup John Hall Coordinator, Direct Project June 13, 2012.
RUCUS - IETF 71 1 Lessons Learned From IETF Antispam Work Jim Fenton.
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
12 Chapter 12: Advanced Topics in Object-Oriented Design Systems Analysis and Design in a Changing World, 3 rd Edition.
Policy Considerations Phill Hallam Baker. We have a choice.
Created by Ed, VE7ED.  For a Winlink user to receive a message, the sender's address must be listed in the recipient's whitelist (the accept list)
FIPA Abstract Architecture London FIPA meeting January 24-29, 2000 from: TC-A members.
Integrating Access Control with Intentional Naming Sanjay Raman MIT Laboratory for Computer Science January 8, 2002 With help from: Dwaine.
Private DNS Phillip Hallam-Baker. Objectives Privacy Confidentiality Traffic Analysis Authenticity Eliminate response spoofing Guarantee user’s choice.
Sender policy framework. Note: is a good reference source for SPFhttp://
KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Design Guidelines Thursday July 26, 2007 Bernard Aboba IETF 69 Chicago, IL.
ECC Design Team: Initial Report Brian Minard, Tolga Acar, Tim Polk November 8, 2006.
Integrating Access Control with Intentional Naming Sanjay Raman MIT Laboratory for Computer Science January 8, 2002 With help from: Dwaine.
KMIP Compliance Redefining Server and Client requirements to claim compliance Presented by: Bob Lockhart.
Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
1 Anonymity. 2 Overview  What is anonymity?  Why should anyone care about anonymity?  Relationship with security and in particular identification 
sender policy framework
Sender ID: An Overview for Registrars ICANN Vancouver December 1, 2005
Other DKIM-Related Drafts
Managing IP Traffic with ACLs
Goals of soBGP Verify the origin of advertisements
Introducing ACL Operation
Domain-based Authentication, Reporting, and Conformance
Spam Fighting at CERN 12 January 2019 Emmanuel Ormancey.
Slides Credit: Sogand Sadrhaghighi
MASS BOF IETF63, Paris 4 August 2005
Presentation transcript:

DKIM Policy Proposals

3 Proposals ‘A La Carte’ Discovery Mechanism RISC Policy Description –Its (almost) all in the Key Records RISC Policy Description –Transitions Meets all of the requirements specified –[6.3 Req 7: MUST NOT provide]

Discovery Mechanism Proposal ‘Dialectic’ Thesis: Use Prefixed TXT Record –100% Compatible with legacy infrastructure –Simple –Not Wildcard friendly Antithesis: Use new RR –DKIM is made reliant on deployment of new DNS infrastructure –Transition management is problematic –Result: RR nobody uses and a graceless wildcard kludge Synthesis –Leave prefix policy record as is –Introduce new prefix pointer record to solve wildcard problem –Result: Compatibility but with incentive to upgrade DNS

How – an additional indirection layer PPTR record –Argument is a DNS node –Does not take a prefix → wildcard friendly New resolution scheme for prefixed records 1.Look for TXT at _prefix.example.com 2.If not found look for PPTR at example.com 3.If found look for TXT at _prefix.pptr.example.com Wildcards work –But domains that do not need them can still use TXT

RISC Policy There is only one policy that matters –‘I do DKIM on everything’ The policy language must be extensible –But there are no DKIM policy extensions –Only extensions to describe non DKIM features ‘I use this reporting mechanism’ ‘I do S/MIME’ RISC policy language: –Tag [=value] sequence Example –DKIM

Why only one policy matters Key Records contain all the detail –The Key algorithms permitted –The C18N algorithms permitted –The sender addresses record applies to What if I want a partial policy? –Specify a Key Record for NULL algorithm Probably a sender address restriction! –Add a static header to each message

RISC Policy - Transitions What is policy for? –Allow conclusion to be drawn from Lack of a Signature header No Signature header Both MUST be treated the same – NVS I always sign + NVS means not compliant with policy –Signatures do not encourage message rejection Policy does 3 Outcomes 1.Signed 2.Compliant with policy but not authenticated 3.Not compliant

What does recipient do? Signed –Check to see if recipient qualifies for whitelist –If not standard spam filtering Compliant but not authenticated –Standard spam filtering Not Compliant –Standard spam filtering –Standard spam filter with higher suspicion –Reject (Probably not a good gateway policy) –May apply third party attributes (Sender is phishing target)

Navigating a Transition Sign messages twice –Sign (Old), Sign (New) –Some recipients only process Old [New] Key records for unsupported algorithm –MUST be treated as valid Policy must express fact we sign twice –DKIM=selector1 DKIM=selector2

Why Policy has 3 outcomes 1.Signed 2.Compliant with policy but not authenticated 3.Not compliant Fake Sig‘I sign’‘I sign twice’ Foo3  Bar2  3  Foo+ Bar2  3 

Summary Significantly reduce complexity of SSP Meets all requirements –Fully wildcard compatible Policy discovery always 3 steps or less Fully compatible with legacy DNS, DKIM But still has new RR Meets unstated requirements –Only means of navigating transition

dd

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.