ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] DKIM Threat Assessment v0.02 (very rough draft)

2005-08-12 22:08:55
from [Ned Freed] [Permanent Link] 


On Aug 11, 2005, at 6:54 PM, Ned Freed wrote:
> As I just stated on the IETF list, absent a clear statement of what
> this threat
> analysis is actually supposed to analyze, I for one have little
> interest in
> "trying". I view my time as better spent trying to get the relevant
> ADs and IAB
> members to produce a coherent statement of what it is they want.
> Spending time
> on something that stands a good chance of not being what was asked
> for is not,
> IMO, useful.



It would be ideal to have an RFC with the title "How to write a
Threats Analysis", but no such thing has been written.


While having such a document would certainly be helpful, I have never said
having such a document is a prerequisite to doing this sort of analysis.

 We do have

three simple questions from the relevant AD, and I don't believe Russ
has given them to us as busy-work... he's simply not that type of
person.


Can we stop the strawman arguments please? Nobody has characterized the task of
writing a threat analysis as "busywork". Indeed, it is perfectly obvious that
the right sort of analysis could help us avoid all sorts of problems.

What I have asked for, repeatedly, is additional clarification as to the
general scope and direction the threat analysis needs to have. The questions
we've been given do not even come close to making this clear.


And after hearing people at the BoF speak of DKIM as bounce
protection, I can understand the broader IETF community asking us to
go through this exercise.



So I wonder if this threats analysis would benefit from a list of
things DKIM is not designed to guard against.


My best guess is that what's being asked for is a general threat analysis of
email along with a statement explaining which of these threats DKIM intends to
help address. So yes, a list of things DKIM doesn't protect against might need
to be part of what we do. Or not, since my guess could easily be wrong.

                                Ned
_______________________________________________
ietf-dkim mailing list
ietf-dkim(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/ietf-dkim
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] What's a replay?, Eric Allman
Next by Date:  Re: [ietf-dkim] What's a replay?, Douglas Otis
Previous by Thread:  Re: [ietf-dkim] DKIM Threat Assessment v0.02 (very rough draft), Michael Thomas
Next by Thread:  Re: [ietf-dkim] DKIM Threat Assessment v0.02 (very rough draft), Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]