From: Keith Moore [mailto:moore(_at_)cs(_dot_)utk(_dot_)edu]
Hallam-Baker, Phillip wrote:
Just make a cogent statement of the problems that DKIM is
attempting
to solve that would not exist if DKIM did not exist.
There are two threat analyses possible:
Report = Threats (World)
Report = Threats (World + DKIM)
To get chartered the group needs to show
Threats (World + DKIM) < Threats (World)
that's a necessary condition, not a sufficient one.
True but that is the specific part of Russ' request that people seem to
have difficulty understanding.
It is also the requirement that I would be most concerned about if I was
doing Russ' job here. Contrary to a somewhat peculiar claim made in
another thread there is absolutely no doubt that the group can finish
the spec, there are FOUR precedents for standards work in this area, all
of them delivered specifications. DKIM is considerably less ambitious
than any of the other attempts.
The problem was not with the delivery or even the deployment of the
spec. S/MIME is one of the most widely implemented security specs of all
time, billions of applications that are used every day support S/MIME.
The problem is that the specs are not being used, this appears to be
because the benefit/reward ratio is too low.
There are two strategies being used to attempt to address this problem.
One is to attempt to increase the scope of DKIM to increase the benefit
in ways that are not likely to add significantly to the time taken by
the WG. The second is to spend inordinate amounts of time whining about
the request in the hope it be reduced.
The reason I proposed the additions I did was because having worked in
this field for a decade I anticipated an issue in this area. I have also
spent the past five years working specifically on Internet crime issues.
So far vastly more effort has gone into the reduction strategy than
anything else.
Lets do this in stages,
What are the ASSETS we are trying to protect?
What are the RISKS that those assets are subject to?
What are the THREATS that realize those risks?
What are the CONTROLS we propose as a means of mittigating those
threats?
What is the RESIDUAL level of risk?
If the answer to the ASSETS question is 'email address' then do not
claim that you are doing anything to stop spam or phishing. The assets
there are the user's INBOX and their bank account. If we narrow the
scope of phishing to email impersonation phishing then the asset is the
bank BRAND.
If people like I am happy to try to arrange a con-call with some bankers
who have worked on the phishing problem through the APWG.
I am happy to repost the security analysis that I posted earlier. But
only when people stop arguing over the iniquity of being required to do
a task that is very basic to the problem area.
_______________________________________________
ietf-dkim mailing list
<http://dkim.org>