ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] DKIM Threat Assessment v0.02 (very rough draft)

2005-08-09 17:36:04
I'm not sure that we aren't in agreement here. But I'm also not sure that we are.

The granularity of the identity is (potentially) per user. But the granularity of the signer is per-selector. Thus, the identity in i= is really a statement by the domain that "I have good reason to believe that this is the responsible party" --- and "good reason to believe" is left undefined, at least in the DKIM spec.

The point is really to be able to establish accountability. Viewed externally, the domain is the responsible party for the message. But internal to that domain, the local-part of the i= is useful. This is almost a one-for-one analogy with email addresses, where the local-part is opaque to all but the recipient domain.

eric


--On August 9, 2005 4:23:20 PM -0700 Michael Thomas <mike(_at_)mtcc(_dot_)com> wrote:

Eric Allman wrote:
That is not correct. The local part of the i= is intended to
provide a binding to the local part of outside origination
headers, not just the domain part. Which is why it is,
in fact, a primary goal.


That doesn't change the fact that it is the /domain/ signing a
message,  not a user.  That domain may identify the individual
user in such a way  that is within the comfort zone of the signing
domain administrator, but  the keys are still owned and
administrated by the domain owner.

That's all true, but that's not what Dave asserted:

 > This is precisely what DKIM does.  It is the domain
administrator who
 > defines
 > the DNS records used by DKIM and DKIM's granularity of the
validated
                                           ^^^^^^^^^^^
 > identity is  a domain name.
                  ^^^^^^^^^^^

There's finer granularity than the domain name. The i= defines
it, not to mention the g=. Which in terms of a problem statement,
etc, is misleading to say that it's a secondary goal; it's been
a primary goal all along for everybody that I can determine except
Dave.

                Mike



_______________________________________________
ietf-dkim mailing list
ietf-dkim(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/ietf-dkim

<Prev in Thread] Current Thread [Next in Thread>