On Wed, 2004-12-01 at 11:32, Dave Crocker wrote:
On 30 Nov 2004 17:54:00 -0800, Stephen Pollei wrote:
when to comes to phish/fraud scenarios I don't think DK adds much value
over just using spf. I have a two part reasoning for this assertion.
The purpose of the mailing list is for technical discussions to
produce a specification for an encryption-based
message-signing mechanism that can be used to hold an
entity responsible for posting the message.
OK so did you read my technical criticisms of DK and suggesting that
more interesting to me? Did you read where I criticized DK for being to
coarse-grained and how that coarse-graininess might cause legal
liability problems? IE you want to hold a person in a role
accountable/responsible not a domain name which may or may not even
denote a cohesive legal entity. Emails from yahoo and hotmail surely do
not come from a cohesive agency -- it consists of people which even have
competing business interests. I gave an real world sample event -- a
phish about a bank; From which I showed that even a bank will not want
to coarse-grain their signatures and thus a signature scheme should be
able to be fine-grained or it will cause problems in the real-world set
of problems digital signatures can address.
The law and court cases about apparent/ostensible authority and digital
signatures as they stand today probably mix in a way that is toxic for
many real world organizations today. Actually they might not want to use
either gpg keys or X.509 certificates as they stand today for some of
those reasons. When wamu.com signs the public key cert for
lisa_sue(_at_)wamu(_dot_)com they might want some kind of rdf descendant of foaf
and saml in there so you a third part can not deny that they were told
she was just the secretary in the PR department when they checked the
signature on her email telling you :" Your mortgage has been sold,
please send your future mortgage payments to caymen-bank.com instead." .
It would boil down to:
Did you check the signature?
yes) then we *notified* you she was a Public Relations person,
and didn't have power to effect or notify you of mortgage changes.
You received email from peggy_lee(_at_)wamu(_dot_)com and checked her
as well, in that you can see we used foaf2.5 and saml3.7 to tell
you see could handle mortgages. Also it is banking standard practice
endorsed by the Electronic Banking Security Trade Association
and practiced by Chase Manhattan, and CitiBank among others.
no) well a *reasonable* *person* knows that there is tons of email
related fraud and you need to do *due* *diligence* on email received.
Reiterate the stuff about standard practice.
It is always great fun to debate differences in paradigms,
such as a route registration technique like SPF, versus a
message signing technique like domainkeys.
It didn't intend a paradigm debate, nor particularly to have fun. I was
very seriously trying to point out what kind of things I would like to
see in a digital signature standard. Things that you can't get using
other techniques. I am sorry if I also happened to point out that if you
neuter the power inherent with-in a digital signature standard that it
isn't likely to be much better or worse than some other approaches for a
narrowly defined task. I'm sorry if you have some kind of sore spot from
debating some other people with other points of views.
You might also happen to notice that I do digitally sign my messages,
and I support spf. I don't see it as a debate, but as both having their
The only thing I don't see the real point of is putting weight behind a
watered down signature standard like DK when it has pgp, IIM, S/MIME,
META and yes even spf to compete among.
Hence, this line of debate and criticism is off topic.
The only criticism I have is of DK, not of digital signatures.
I'd think technical criticism of various particular issues with the
various signature initiatives would have been *spot* *on* topic for this
list -- of course I'm new here, so maybe you have some other agenda
here. Most technical places like weaknesses and shortcomings pointed out
so the end result can be made stronger.
If you believe that my criticism is out of place for this list, please
tell me and I'll unsubscribe and refrain from posting here.
GPG Key fingerprint = EF6F 1486 EC27 B5E7 E6E1 3C01 910F 6BB5 4A7D 9677
Description: This is a digitally signed message part