ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] draft-fenton-dkim-threats-00

2005-10-13 13:34:54
On October 12, 2005 at 17:01, "Arvel Hathcock" wrote:

If the identity being validated has little, to no,
intrinsic "worth", then nothing is gained.

I think I'm missing the point.  How can you assess the "worth" or an 
identity absent a conclusive understanding of what/who the identity is?

Let me restate: A value of an identity cannot be determined until
you know what entity represents and what role the entity plays.

The core email specifications (RFC-(2)82[12]) defines various
identities and the role they play.  Some identities have more "value"
over others.  For example, many see rfc2822.From fairly valuable since
it allegedly represents the author(s) of the message, hence the desire
to protect it in various anti-forgery-type technologies.

With DKIM, the current goal-du-jour is to associate an accountable
domain to a message, independent of the identities asserted in the
message itself (although SSP does provide some bindings to email
identities).

The problem is the role of the domain is not designated, or it is
fixed, implying that the domain played some role in the transmission
of the message: the originating domain has the same level of
accountability as a forwarding domain as does a secondary backup
exchange.

In order to provide a better assement on the value of a DKIM domain
identity, it would help to know the role it played in the transmission
of a message.  For example, an originating domain signature may have
a different weighting by recipients from a forwarding domain signature
when determining if the message is acceptable.

Of course, this also feeds into potential reputation systems, but
some domains may be put under higher scrutiny based upon the role
they played.

--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org