ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] draft-fenton-dkim-threats-00

2005-10-07 09:54:32
from [Dave Crocker] [Permanent Link] 
Douglas Otis wrote:
The only thing DKIM "prevents" is detecting invalid uses of a domain name for a signature.
DKIM, as described, does not prevent or detect invalid uses.
Oh. You mean that your sending a message using my domain, without my permission, won't be possible to detect?
Not in the case of a replay, for example. The domain may consider abusive replay to be an invalid use when such use impacts future abilities.
The term "replay" has at least two different uses. One refers to a third party, using some of an otherwise valid message, while adding their own content. DKIM will permit detecting this.
Since DKIM does not "do" reputation, talking about the limitations of using DKIM for reputation strikes me entirely out of scope.
The concern was _not_ about whether DKIM "does" reputation, but whether DKIM "supports the use of" reputation.
Doug, you are adding to DKIM's scope and then criticizing it for not satisfying the extension.
Before you start trying to specify solutions and before you claim that DKIM has anything that might be called a "weakness" you need to recruit support for this expansion in DKIM's goals. So far, I have not seen that support emerging.
This concern is distinctly different and does not deal with any details related to a specific implementation of reputation. 
You have been suggesting specific changes to the DKIM specification.
Strange how only repudiation is supported, but then only reputation is mentioned in the threat analysis.
Strange? DKIM is a complete technical specification that performs specific functions. The threat analysis describes what problems that specification attempts to deal with. What would be strange -- and entirely inappropriate -- is to have the threat analysis cover threats to which DKIM does not respond.
You have again suggested DKIM only supports repudiation. 
What language of mine do you believe says this?
Would it be okay to review an elevator pitch for repudiation?
The threat analysis deals with the existing DKIM -- unless there is rough consensus to expand DKIM's scope. I haven't seen that consensus emerging. Discussing repudiation is an attempt to expand DKIM's scope. Repudiation prevention is a nice goal. There are lots of nice goals. Would it be reasonable to have an open-ended pursuit of all the nice goals that DKIM *might* be modified to assist in achieving?
I don't think so, unless the goal here is to have endless abstract discussion, rather than to expedite standardization of DKIM. 

d/

_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] New DKIM threat analysis draft, John Levine
Next by Date:  [ietf-dkim] Reputation can not be established without ready means to abate of abusive replays [was: draft-fenton-dkim-threats-00], Douglas Otis
Previous by Thread:  Re: [ietf-dkim] draft-fenton-dkim-threats-00, Douglas Otis
Next by Thread:  [ietf-dkim] Reputation can not be established without ready means to abate of abusive replays [was: draft-fenton-dkim-threats-00], Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]