ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Review of draft-fenton-dkim-threats-01

2005-10-29 12:18:10
from [Eric Rescorla] [Permanent Link] 
Eliot Lear <lear(_at_)cisco(_dot_)com> writes:


Eric,

Thank you for your comments.


Indeed, if what you wanted to do
was stop message forgery as a general case, you would have to
consider the issue of forgery by other authorized users in
the same administrative domain, which generally leads to an S/MIME
style solution.


While it is true that a wide deployment of S/MIME may limit forgery,
it is perhaps not the only way, and so let me suggest that where you
say "generally" we are now outside that realm.


I'm not sure I understand this statement.


Here the problem is broken into several parts: verification that a
message came from an administrative domain and verification within the
administrative domain.  Mechanisms exist within an administrative
domain to verify identity of a sender.  Those methods can be
improved. Dramatically, IMHO.  But that needn't be something for DKIM.

To tackle *spam*, reputation must be considered.  That needn't be done
by DKIM but it must be done.  I haven't seen a strong argument that
the reputation component should be done within the IETF, as no
protocol requirements to do it have been identified. What is clear is
that reputation cannot be considered without something like DKIM.

Would you agree or disagree with the above statements?


I agree that you can't build a reputation system without some form of
data origin authentication. It seems to me that the form of data
origin authentication being proposed here is principally useful for
this kind of reputational anti-spam system, not for solving the
generic data origin authentication problem. Accordingly, I think that
this project needs some sort of plausible argument about how it
will be useful for stopping spam.

I'm not sure if that argument requires a plan to build a reputation
system. However, if the argument is going to be such that a reputation
system is required, then, considering that that's probably the
hard bit, I would tend to think that such a plan would be useful, no?

-Ekr
_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Review of draft-fenton-dkim-threats-01, Eric Rescorla
Next by Date:  Re: [ietf-dkim] Review of draft-fenton-dkim-threats-01, Douglas Otis
Previous by Thread:  Re: [ietf-dkim] Review of draft-fenton-dkim-threats-01, Eliot Lear
Next by Thread:  Re: [ietf-dkim] Review of draft-fenton-dkim-threats-01, Eliot Lear
Indexes:  [Date] [Thread] [Top] [All Lists]