Oddly I think we are agreeing, so perhaps we're both going in the wrong
way ;-) I thought the point was to bound DKIM's capability. On the
other hand, one could imagine a strict requirement for domain assignment
in some TLDs (perhaps this is already the case with .gov?). Regardless,
absent that level of authentication between the registrar and the domain
"owner" you're left with reputation services...
Eliot
william(at)elan.net wrote:
On Fri, 6 Jan 2006, Eliot Lear wrote:
Jim Fenton wrote:
I'll stipulate that accountability may be the wrong word. However,
your
rewording doesn't pick up the concept that the domain registration may
be fraudulent, and in that case I don't think it's properly assigning
accountability. I was trying to convey that there is a dependency here
that puts an upper bound (a rather low upper bound, at that) on the
ability to identify the domain owner of a properly signed message.
How about the following:
DKIM's ability to identify a domain owner is [also] bounded by
whatever checks a registration authority imposes.
You're going in the wrong direction.
Even if it may have been original intent long ago, currently
domain registration authorities do not do any checking of the
domain owner's identify and the commodity of the provided services
clearly reflects that (as is the pricing for TLD domains; market
is used to this and situation is unlikely to change).
Domain identity is really self-identification and the same service
would be provided by domain-bound email signatures discussed on this
list - they allow domain owner to self-identify itself and provide
cryptographic means to link the email message to this self-identity.
The accountability of this identity is beyond the scope of the service
provided by simple domain-based email signatures (at least based
on what is in scope within approved charter). This is something
that accreditation services supposed to do i.e. tell if the domain
owner is known and willing to take responsibility for the transactions
and who they really are (but if this is going to actually be of any
value depends on that accreditation providers do not just take money
from somebody willing to pay but actually do some sort of verification
of who they are dealing with). Now even when you having somebody who
you can hold accountable, that does not mean they are good player in
email arena (who is good and bad is area for reputation services).
Now can we please go back to your draft and make it clear that
signature only establishes link between email message and some
domain name. Anything further then that such as verifying
domain owner identity and accountability would have to be
provided by some other means and different service.
---
BTW - Personally I think the link should be provided not to domain
name but directly to email address level whenever possible. The
email address identities in messaging network are as host identities
on the ip network and with SSL we almost always use "host.domain.com"
as appropriate identify for SSL certificates but do also allow for
wildcard certificates i.e. "*.domain.com".
_______________________________________________
ietf-dkim mailing list
http://dkim.org