----- Original Message -----
From: "Jim Fenton" <fenton(_at_)cisco(_dot_)com>
To: "Stephen Farrell" <stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie>
I agree that's a motivation (and that motivation or the
lack thereof shouldn't be a factor in what we document). But
hopefully the bribery part is out of scope, otherwise we will
have a _very_ long list of threats.
The threat analysis should be realistic and exhaustive. That does not
suggest each could be addressable by the protocol. But it needs to be
itemized and highlighted.
For example, in a complete threat analysis, a bribery simply highlights one
form of private key and password entry points exploits. The trusted agents
such as the DNS admin, Sysops, Co-Sysops, the domain owner are all "people
of interest" including the compromised protected assets such as the Private
key storage machine and/or signing server.
So how can private keys/passwords be compromised?
- Bribery (Black Market) is possible
- DKIM Spyware on trusted agents machines
- DKIM SMTP proxies on signing machines (SMTP outbound server)
And other?
So even if the DKIM protocol itself has to no inherent algorithm to address
private key/password entry point exploits, its risk and potential should be
itemized and assessed.
This will provide operators the opportunity to understand the risk and allow
them to organize a internal security plan. It can also promote R&D for
future inventers to find an automated solution or one that detects and
minimizes the exploit.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
ietf-dkim mailing list
http://dkim.org