ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]

2006-01-07 11:39:23
from [Douglas Otis] [Permanent Link] 
On Sat, 2006-01-07 at 11:15 +0100, Eliot Lear wrote:

Andrew Newton wrote:


I am thinking "no."  DKIM's ability to identify a domain owner is not
limited by registration authority rules because there may be or will
be reputation services separate from the registration authority.


Precisely.  We need to separate what DKIM does from what reputation
services do.


Besides, I don't think DKIM is ever identifying the owner of a domain
name since that information is not in DNS.  If the Acme Widget company
has the domains acmewidgets.com, acme-widgets.com, and
acme-widgets-inc.com, there is nothing in DNS that tells me all three
are owned by Acme Widgets (well, nothing you can rely upon).


You're right.  The information is contained within the registries. 
Whether a recipient can access that information ALSO depends on the
registry policies.


Often, the extent of owner verification is limited to what can be
determined by payment methods and DNS server information, as no other
confirmations, such as web or email logs, are made available, even when
the information is shared.  As the typical fee could be missed in a
credit card report, even payment information remains dubious, and
permits deny ability.

If the substantially anonymous owner has not committed bad acts, the
identification utilized to accrue a history of use should only employ
verified identifications, such as a validated DKIM signature.  With a
potential replay problem, even validation may not be adequate without
some expectation of a practical replay control.

Assuming there is a verified identifier, where there is some expectation
of replay control, the extent of accountability ends at the domain name.
It would not be practical within the current system to extend DNS based
identification to individuals.  Perhaps in a few cases, in conjunction
with corroboration, such as a history of use, this information could be
applied to known entities.

The advantage afforded by DKIM is avoidance of a certificate authority
which would provide entity identification more reliably.  Certificates
for MTAs would add a significant recurring expense and has made this
avenue attractive only in specific cases through private agreement.
Even with a certificate authority vouching for the identity, as with the
registrar, there would be a conflict of interest to also expect them to
judge the history of use.

-Doug


_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Eliot Lear
Next by Date:  Re: [ietf-dkim] [Fwd: I-D ACTION: draft-fenton-dkim-threats-02.txt], John Levine
Previous by Thread:  Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Eliot Lear
Next by Thread:  Re: [ietf-dkim] [Fwd: I-D ACTION: draft-fenton-dkim-threats-02.txt], John Levine
Indexes:  [Date] [Thread] [Top] [All Lists]