I read the threat analysis and agree with the content
I think that we can elaborate the threats against DKIM indefinitely. The
important thing is that the threat analysis in its current form answers the two
major questions relevant at this point:
* What threat does DKIM defend against
* Given the previous attempts to do this type of work why is DKIM likely to be
more successful?
In reference to the second I would emphasize that we are using the same
technology to do something very different. Traditional email security
mechansims were designed to encrypt messages first and foremost and provide
some sort of proof of sender origin that would create a rebuttable presumption
that a message was 'genuine'. Note that I do not use the term 'confidentiality'.
What DKIM does is to allow a party to accept responsibility for an email
message. This is very different to the traditional S/MIME, PGP, PEM, MOSS
objectives.
Ubiquitous sender signatures create privacy and anonymity concerns we do not
want to get involved in. We want to allow Yahoo, Gmail etc to tag the mail they
send as having passed through their system and been subjected to their
anti-spam velocity controls. If we achieve that goal we save a significant
amount of electricity and improve the effectiveness of spam filters.
There are also proposals to build systems on top of DKIM that affect the end
user directly. These are important but they are not the focus of the IETF
group. There appears to be a strong consensus that the IETF is not the right
venue to do user interface standardization work. The IESG does not want to
authorize that type of work and previous attempts (HTTP 1.0) suggest that it is
unlikely anyone will want to repeat this.
I think that the charter needs to state that the DKIM group will work with
other groups that have a bearing on this problem. Inside the IETF with the PKIX
working group. Outside with the W3C XKMS group and any security usability WG
that might form.
Phill.
_______________________________________________
ietf-dkim mailing list
http://dkim.org