On Oct 6, 2005, at 10:32 AM, Jim Fenton wrote:
Douglas Otis wrote:
Avoiding repudiation was not heeded within the DKIM draft
abstract that explains intent. : (
I really don't understand the above statement.
The DKIM abstract makes similar claims and _states_ repudiation is
the form of protection offered. It will be very difficult to defend
that position in my view.
A reputation mechanism can be safely established to accrue
behavioral information of the signer. How can reputation be
extended to include "addresses" and "identities"? What
protection is possible without reputation assessments?
A DKIM signature in fact _does_ guarantee the accountability of
the signer. It simply does not guarantee their behavior. That
is why reputation in the form of white-lists, accreditation, or
reputation services is _required_. Reputation is _not_ an
enhancement.
The threat analysis characterizes the bad acts as the spoofing of
email addresses. It does not consider bad behavior to be one of
the bad acts that we're guarding against. Perhaps that is unclear
from the wording "is not effective against the use of addresses
they control." What I mean to say is that the use of addresses is
out of scope for DKIM, rather than that DKIM is trying to solve
that problem but doesn't manage to.
Your language seems to miss an aspect with respect to reputation at
least. Not that DKIM directly prevents bad behaviors which includes
the spoofing of email addresses, it is who does DKIM hold
accountable? Mailbox-addresses should be declared as "unprotected"
with a possible exception of where a domain asserts they sign all
their own mail. How this assertion is made and applied is a
different issue for later. Within this limitation as a means to
avoid the misapplication of reputation, it should be safe to claim
some protection by way of repudiation.
By attempting to extend DKIM to include the protection of
"addresses" in the generic sense, there is danger entering into a
quagmire. Nothing can be accrued with respect to the "address"
in terms of bad behavior without implying the signer is also not
trustworthy. This creates a serious paradox.
Only when the "address" and the signer are the same, would it be
possible to safely make assertions of behavior, but then of
course extending assertions of behavior to the "address" would
not be required. I see little within the threat analysis that
clarifies this limitation. I am not comfortable with promises
that "address" protection is limited to just repudiation.
I would go further than that to say that even when the "address"
and signer are the same, it still isn't possible to safely make
assertions of behavior with DKIM. You are correct that reputation
and/or accreditation systems would be required to do so, but that
this analysis (and the WG charter we have been considering) do not
deal with that part of the problem.
I agree with this to some extent, however the threat analysis should
consider what form of protection is enabled by DKIM. Details of the
implementation of reputation are likely best handled by a different
WG. Nevertheless, there must be some clarity regarding what form of
protection is being enabled by DKIM. Remaining silent on this issue
has not added the requisite clarity. I see this document providing
greater value when these issues have been clarified. DKIM only
supports repudiation, and reputation except when attacked? This
seems to be points needing better clarification.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org