ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] draft-fenton-dkim-threats-00

2005-10-06 10:39:32
from [Jim Fenton] [Permanent Link] 
Douglas Otis wrote:
Avoiding repudiation was not heeded within the DKIM draft abstract that explains intent. : ( 

I really don't understand the above statement.
Clarity is also lacking within the threat document regarding what is meant by the term identity or address. I assume without "IP" prefixing address, address or identity means a header's mailbox address such as RFC2822 From or Sender.
That is correct. Let me think about where we might put a clarification on that.
A reputation mechanism can be safely established to accrue behavioral information of the signer. How can reputation be extended to include "addresses" and "identities"? What protection is possible without reputation assessments?
A DKIM signature in fact _does_ guarantee the accountability of the signer. It simply does not guarantee their behavior. That is why reputation in the form of white-lists, accreditation, or reputation services is _required_. Reputation is _not_ an enhancement.
The threat analysis characterizes the bad acts as the spoofing of email addresses. It does not consider bad behavior to be one of the bad acts that we're guarding against. Perhaps that is unclear from the wording "is not effective against the use of addresses they control." What I mean to say is that the use of addresses is out of scope for DKIM, rather than that DKIM is trying to solve that problem but doesn't manage to.
By attempting to extend DKIM to include the protection of "addresses" in the generic sense, there is danger entering into a quagmire. Nothing can be accrued with respect to the "address" in terms of bad behavior without implying the signer is also not trustworthy. This creates a serious paradox.
Only when the "address" and the signer are the same, would it be possible to safely make assertions of behavior, but then of course extending assertions of behavior to the "address" would not be required. I see little within the threat analysis that clarifies this limitation. I am not comfortable with promises that "address" protection is limited to just repudiation.
I would go further than that to say that even when the "address" and signer are the same, it still isn't possible to safely make assertions of behavior with DKIM. You are correct that reputation and/or accreditation systems would be required to do so, but that this analysis (and the WG charter we have been considering) do not deal with that part of the problem. 

-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] draft-fenton-dkim-threats-00, Dave Crocker
Next by Date:  Re: [ietf-dkim] draft-fenton-dkim-threats-00, Douglas Otis
Previous by Thread:  Re: [ietf-dkim] draft-fenton-dkim-threats-00, Douglas Otis
Next by Thread:  Re: [ietf-dkim] draft-fenton-dkim-threats-00, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]