Douglas Otis wrote:
Avoiding repudiation was not heeded within the DKIM draft abstract
that explains intent. : (
I really don't understand the above statement.
Clarity is also lacking within the threat document regarding what is
meant by the term identity or address. I assume without "IP"
prefixing address, address or identity means a header's mailbox
address such as RFC2822 From or Sender.
That is correct. Let me think about where we might put a clarification
on that.
A reputation mechanism can be safely established to accrue behavioral
information of the signer. How can reputation be extended to include
"addresses" and "identities"? What protection is possible without
reputation assessments?
A DKIM signature in fact _does_ guarantee the accountability of the
signer. It simply does not guarantee their behavior. That is why
reputation in the form of white-lists, accreditation, or reputation
services is _required_. Reputation is _not_ an enhancement.
The threat analysis characterizes the bad acts as the spoofing of email
addresses. It does not consider bad behavior to be one of the bad acts
that we're guarding against. Perhaps that is unclear from the wording
"is not effective against the use of addresses they control." What I
mean to say is that the use of addresses is out of scope for DKIM,
rather than that DKIM is trying to solve that problem but doesn't manage to.
By attempting to extend DKIM to include the protection of "addresses"
in the generic sense, there is danger entering into a quagmire.
Nothing can be accrued with respect to the "address" in terms of bad
behavior without implying the signer is also not trustworthy. This
creates a serious paradox.
Only when the "address" and the signer are the same, would it be
possible to safely make assertions of behavior, but then of course
extending assertions of behavior to the "address" would not be
required. I see little within the threat analysis that clarifies
this limitation. I am not comfortable with promises that "address"
protection is limited to just repudiation.
I would go further than that to say that even when the "address" and
signer are the same, it still isn't possible to safely make assertions
of behavior with DKIM. You are correct that reputation and/or
accreditation systems would be required to do so, but that this analysis
(and the WG charter we have been considering) do not deal with that part
of the problem.
-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org