ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [ietf-dkim] draft-fenton-dkim-threats-00

2005-10-05 10:02:46
from [Hallam-Baker, Phillip] [Permanent Link] 
I read the threat analysis and agree with the content

I think that we can elaborate the threats against DKIM indefinitely. The 
important thing is that the threat analysis in its current form answers the two 
major questions relevant at this point:

* What threat does DKIM defend against

* Given the previous attempts to do this type of work why is DKIM likely to be 
more successful?

In reference to the second I would emphasize that we are using the same 
technology to do something very different. Traditional email security 
mechansims were designed to encrypt messages first and foremost and provide 
some sort of proof of sender origin that would create a rebuttable presumption 
that a message was 'genuine'. Note that I do not use the term 'confidentiality'.

What DKIM does is to allow a party to accept responsibility for an email 
message. This is very different to the traditional S/MIME, PGP, PEM, MOSS 
objectives.

Ubiquitous sender signatures create privacy and anonymity concerns we do not 
want to get involved in. We want to allow Yahoo, Gmail etc to tag the mail they 
send as having passed through their system and been subjected to their 
anti-spam velocity controls. If we achieve that goal we save a significant 
amount of electricity and improve the effectiveness of spam filters.

There are also proposals to build systems on top of DKIM that affect the end 
user directly. These are important but they are not the focus of the IETF 
group. There appears to be a strong consensus that the IETF is not the right 
venue to do user interface standardization work. The IESG does not want to 
authorize that type of work and previous attempts (HTTP 1.0) suggest that it is 
unlikely anyone will want to repeat this.

I think that the charter needs to state that the DKIM group will work with 
other groups that have a bearing on this problem. Inside the IETF with the PKIX 
working group. Outside with the W3C XKMS group and any security usability WG 
that might form.

Phill.

 

 


_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] New DKIM threat analysis draft, John Levine
Next by Date:  Re: [ietf-dkim] draft-fenton-dkim-threats-00, Douglas Otis
Previous by Thread:  Re: [ietf-dkim] New DKIM threat analysis draft, John Levine
Next by Thread:  Re: [ietf-dkim] draft-fenton-dkim-threats-00, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]