ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] draft-fenton-dkim-threats-00

2005-10-06 00:52:28
from [Eliot Lear] [Permanent Link] 
Doug,
Only when the "address" and the signer are the same, would it be possible to safely make assertions of behavior, but then of course extending assertions of behavior to the "address" would not be required. I see little within the threat analysis that clarifies this limitation. I am not comfortable with promises that "address" protection is limited to just repudiation.
I do not know what you mean by "address" and the signer being the same. If by that you mean that the domain of the signer and the sender are the same, then at least I don't disagree. I can't say I agree because I don't really understand your concern. It follows that in order to determine responsibility for the sender one first needs to determine responsibility for the domain, and the way that is done with DKIM is via DNS. The source of authority for the sender can then from that point be delegated. Are you questioning the strength of that delegation? If so, could you please explain it in smaller words, step by step?
The threat draft makes what I see as rather dangerously broad generalizations. It becomes a perilous situation to consider establishing a matrix of authorizations with respect to signers. Such an assessment scheme would depend upon an unaccounted signer where repudiation _must_ be the sole objective. Just as "Repudiation MailFrom" became "Sender Authentication", there is a real danger the limited benefits of repudiation will be extended by unfair reputation assessments.
I'm sorry but I don't see how you got there. Why must repudiation be the sole objective?
Inappropriate use of reputation can be prevented by simply limiting the purported protection to just the signing domain. Presume a fair reputation scheme on the basis of the signer offers a full spectrum of protections. This protection can be slightly enhanced by safe assertions the domain signs all their own mail. Perhaps this type of assertion could even be extended to also disallow the resending of their mail.
On a related topic, adding an opaque-identifier greatly extends the protections made possible by DKIM that are discounted in this draft. Importantly, these identifiers permit replay abatement. Alas, without prompt curtailment of abusive replays, reputation does not offer dependable protection, nor will DKIM. Zombies are far too prevalent. 

Does the SMTP Message-ID play this role?

Eliot
_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] New DKIM threat analysis draft, Amir Herzberg
Next by Date:  RE: [ietf-dkim] New DKIM threat analysis draft, Hallam-Baker, Phillip
Previous by Thread:  Re: [ietf-dkim] draft-fenton-dkim-threats-00, Douglas Otis
Next by Thread:  Re: [ietf-dkim] draft-fenton-dkim-threats-00, Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]