Roughly we need to consider how DKIM is used, not just define a
technology. We need to talk about bad uses of DKIM as soon as we
are aware that they are sufficinetly likely that they are worth
considering.
Here's a concrete suggestion: it is clear that the bad uses of DKIM
people have mentioned are a subset of the bad uses of STARTTLS.
I have seen concerns that third party reputation lists might be used
to create walled gardens or closed networks with DKIM. This is not
just a theoretical risk with STARTTLS. People have already done
exactly that, since TLS unlike DKIM already includes the facilities
for third parties to indicate which keys they like and which ones they
don't. And the TLS world is dominated by a single signer whose
signing policies are opaque.
So how about if we simply reuse the warning language about STARTTLS
from RFC 3207? If that's not adequate, do we need to write similar
warnings about STARTTLS?
R's,
John
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf