The Affiliation Service provides input to reputation assessment mechanisms, whereby a validated domain is compared to a list of domain names whose owners are known to be members of a particular group. This information can be used for giving special treatment to messages known to be from that domain.
Its initial proposed use is to provide positive identification of a domain as belonging to a bona fide member of a particular group of high-value domain names that are often the subjects of “phishing” attacks, or confidence schemes, through email. Major examples are names belonging to financial institutions and better-known non-profit organizations. The intent is to “certify” that such domains are affiliated with legitimate members of those groups, allowing end users to be confident that the message is likely not fraudulent. Note that this does not produce an opinion about the desirability of the message, but only of its legitimacy.
This service is predicated on the use of two open Internet standards, namely DomainKeys Identified Mail (DKIM) and Vouch By Reference (VBR). DKIM provides a mechanism enabling a domain name owner to take responsibility for its handling of a message by attaching its domain name to the message using a cryptographic signature. VBR allows an agent to publish a list of domain names known to be in a specific trustworthy group. The specifications are IETF documents:
The Trusted Domain Project oversees the development and maintenance of open source implementations of both of these specifications.
Given the inherently insecure nature of electronic mail on the Internet, DKIM presents a novel concept in that it attaches a domain name to a message in a way that cannot be done other than by the owner of that domain name. Thus, any other party cannot attach that domain name to a message in the same way, and a validated DKIM signature guarantees that the owner of that domain name was involved in the handling of that message. However, the inverse is not true; a signature that does not validate is not an automatic indication of fraud. Furthermore, the absence of a valid signature tells us nothing. It can only be used for positive identification.
Vouch By Reference is designed to allow an agent to list multiple names in a way that can be queried. Its design focuses on listing trusted email sending parties such as list operators or domains that send valid transactional email. Thus, one queries a VBR list to see if a domain name is known to be in a trusted set. Rather than having any given receiving site on the Internet maintain a list of domains it trusts, it instead trusts a “voucher” to maintain such a list. As with DKIM, only positive claims can be made with VBR; the absence of a name on such a list is not an indication of a problem with the owner of that name. It is important to note that VBR does not provide any statement about the domain name or its owner other than that name being present in the list. It is not itself a reputation service.
The two combined present a powerful mechanism. If common fraud targets, such as banks or non-profit organizations, all applied DKIM signatures in order to “stamp” their mail with their own domain names, then receivers could extract those names from valid signatures. Then, if lists of domain names known to belong to bona fide members of those classes could be queried, then it would be possible to identify mail that came from real banks or real non-profits. Finally, where those two tests both succeed, the end user could be shown some kind of annotation or tag on the message that indicates its apparent validity as coming from (or being handled by) a known member of that set of domains.
Thus, by deploying these open standards technologies, for which free and open implementations already exist, it is possible to allow end users to identify valid messages coming from common fraud targets, and proceed with skepticism when reading messages that do not bear the markings of a valid source.
Our proposal involves creating a prototype deployment focusing on either banks or major non-profits in the United States. We plan to find an appropriate organization to create a prototype registry containing the domain names in active use by a few of these organizations that are willing to try it, and have them begin to deploy the sender-side components of DKIM and VBR.
We have already discussed this work with Google Mail (Gmail) and they are willing to experiment with the receiver-side portions of DKIM and VBR, and to annotate messages passing these tests with a “gold seal” (or similar) that is presented to end users.
After this proof-of-concept phase is completed, we will seek to scale this up to cover all banks, or all non-profits, or any other classification of domain names where the benefits would be valuable, by engaging facilitators in government and/or trade organizations, including finding a place to host the VBR lists with redundancy and creating a mechanism to add/remove vetted names. At this point we would also seek endorsement and/or support from government and industry to bolster both legal and technical infrastructure.
This service was inspired by work done by Dave Crocker and Jeff MacDonald as a project under mipassoc.org.