Doug,
Only when the "address" and the signer are the same, would it be
possible to safely make assertions of behavior, but then of course
extending assertions of behavior to the "address" would not be
required. I see little within the threat analysis that clarifies this
limitation. I am not comfortable with promises that "address"
protection is limited to just repudiation.
I do not know what you mean by "address" and the signer being the same.
If by that you mean that the domain of the signer and the sender are
the same, then at least I don't disagree. I can't say I agree because I
don't really understand your concern. It follows that in order to
determine responsibility for the sender one first needs to determine
responsibility for the domain, and the way that is done with DKIM is via
DNS. The source of authority for the sender can then from that point be
delegated. Are you questioning the strength of that delegation? If so,
could you please explain it in smaller words, step by step?
The threat draft makes what I see as rather dangerously broad
generalizations. It becomes a perilous situation to consider
establishing a matrix of authorizations with respect to signers. Such
an assessment scheme would depend upon an unaccounted signer where
repudiation _must_ be the sole objective. Just as "Repudiation
MailFrom" became "Sender Authentication", there is a real danger the
limited benefits of repudiation will be extended by unfair reputation
assessments.
I'm sorry but I don't see how you got there. Why must repudiation be
the sole objective?
Inappropriate use of reputation can be prevented by simply limiting the
purported protection to just the signing domain. Presume a fair
reputation scheme on the basis of the signer offers a full spectrum of
protections. This protection can be slightly enhanced by safe
assertions the domain signs all their own mail. Perhaps this type of
assertion could even be extended to also disallow the resending of their
mail.
On a related topic, adding an opaque-identifier greatly extends the
protections made possible by DKIM that are discounted in this draft.
Importantly, these identifiers permit replay abatement. Alas, without
prompt curtailment of abusive replays, reputation does not offer
dependable protection, nor will DKIM. Zombies are far too prevalent.
Does the SMTP Message-ID play this role?
Eliot
_______________________________________________
ietf-dkim mailing list
http://dkim.org