Eric Rescorla wrote:
Dave Crocker <dhc(_at_)dcrocker(_dot_)net> writes:
Well, it certainly is so much easier to write security protocols
if you don't require them to be actually, you know, secure.
Oh. So you see a technical flaw in DKIM?
Please cite it. Please indicate what solutions will resolve it.
Failing that, please explain what you mean.
I thought I was clear in the original message. There are well-known
attacks on DKIM when it is used in the absence of DNSSEC. There's
no secret here--it's explained clearly in both documents. Whether it's
a "flaw" or not is a matter of opinion, of course.
Ok. So you do not like DKIM's use of the current, operational DNS.
As nearly as I can tell, the line of concern you are expressing applies equally
to any other dependency on DNS having accurate information.
Since the vulnerability of DNS has been well-known for quite a bit more than 10
years-- or rather, that is how long DNSsec has been under development -- I
guess we either had better note that there is a difference between plausible
attacks and vulnerability, versus practical utility, or we all need to stop
using the DNS for essentially any of its current applications.
I suspect that that is not an implication you intend.
So, please explain how the universal reliance on the DNS' mapping from domain
name to IP address constitutes a fundamentally different security requirement
than the one that DKIM has.
Not too happy about having the word disingenuous applied to the
analysis you posted?
No, just bored.
Have you ever noticed how someone making that statement, at the end of
an energetic exchange that they have not won, mostly never means it?
I wonder if that qualifies as disingenuous?
Whatever.
Have you ever noticed how someone making that statement...
d/
--
Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html