"John R Levine" <johnl(_at_)iecc(_dot_)com> writes:
OK. If this is just an assumption and not backed by evidence, I would
suspect that outside of the web you see a lot less use of the big CAs.
This is my impression as well. And a fair amount of the reason here
is UI: the browsers are set up to check the server's cert and
the MTAs generally are not.
Probably true. And since DKIM has no provision for authorities at all, it
definitely doesn't use them.
Well, yes and no. DKIM depends for its security on the DNS,
which means that it depends on the security of the DNS.
In order for this to be strong (i.e., cryptographic) security,
the relevant DNS records need to be signed and that means
that there's a dependency on the DNSSEC roots.
So remind me, what is the problem with DKIM that we're all supposed to be
worried about?
AS I understand it the concern is that people who don't use DKIM
will eventually not be able to send e-mail to people who are using
it. I'm not sure that this is something that people should be concerned
about, indeed, the logic of this kind of system is that if it succeeds
that's exactly what will happen.
That said, I don't think that the comparison with STARTTLS is particularly
illuminating. While in principle one could use STARTTLS as a measure
to discriminate between classes of senders, in practice it's not used
that way but instead used primarily for confidentiality. However,
DKIM's only real use is to discriminate between classes of senders,
so we do need to expect it to be used that way.
-Ekr
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf