ietf-dkim
[Top] [All Lists]

[ietf-dkim] New Issue: Threat-00 Limiting the scope of trust

2006-02-01 11:36:38
,---
| 1.  Introduction
| ...
| Once the attesting party or parties have been established, the
| recipient may evaluate the message in the context of additional
| information such as locally-maintained whitelists, shared reputation
| services, and/or third-party accreditation.  The description of these
| mechanisms is outside the scope of this effort.  By applying a
| signature, a good player enables a verifier to associate a positive
| reputation with the message, in hopes that it will receive
| preferential treatment by the recipient.
'---

As related to the goals established within the introduction, perhaps there could be a section on issues related to the establishment of trust based upon the DKIM signature. This added section could deal with issues related to MUA keys, or a population of users within a domain where it is not practical to implement a level of vetting needed to retain trust (a positive reputation). This issue of trust is important, as perhaps the only _safe_ indication that can be conveyed to the recipient would be whether the domain has a trustworthy reputation.

An indication that an email-address is within a signing-domain can be obtained by any bad actor. Reliance upon a "within the signing- domain" indication necessitates perilous examinations of the email- address and knowledge of the domain name hierarchy. Conversely, marking a message as "trustworthy" based upon the reputation of the signing-domain could not be obtained by any bad actor and does not require careful examination of the email-address. There could be standards established for trustworthy lists where the signing domain must also have a CA Certificate suitable for commerce, for example.

A message being marked as Trustworthy should require two elements:

 - Good Reputation of the signing-domain's trustworthiness
 - Specific assertion by the signing-domain the message is trustworthy


This added signing-domain assertion could enable critical communications from key personnel within the domain to send messages marked as trustworthy to users within the domain. However, untrusted users within the domain (perhaps using a free email account) could (and should) be excluded from having their messages marked as trustworthy. This would shield these domains from the actions of poorly vetted users, while still retaining an ability to have critical messages receive a "trustworthy" marking. Large institutions may also desire a means to segregate messages from contractors or temporary workers to further ensure their trustworthy reputation is protected. Perhaps users with a delegated private key within their MUA would be excluded from receiving a trustworthy marking due to the prevalence of compromised systems. The signing- domain assertion of trustworthiness could be a binary flag within the DKIM Key, for example.

It is not practical to attempt to compile reputations for an unlimited number of email-addresses or messages signatures. However, by allowing the domains to exclude less trustworthy users, independent of the email-address, would allow a simple list of trustworthy domains to be maintained. The same email-address may be trustworthy when signed by the MSA, but not when signed by the MUA, for example.

-Doug



_______________________________________________
ietf-dkim mailing list
http://dkim.org