ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Fwd: EKR - Re: [ietf-dkim] Review of draft-ietf-dkim-base-00 (1)]

2006-03-20 09:58:59
from [Dave Crocker] [Permanent Link] 
(sorry. firefox does not have a redistribute command. /d)

-------- Original Message --------
Subject: Re: [ietf-dkim] Review of draft-ietf-dkim-base-00 (1)
Date: Mon, 20 Mar 2006 06:04:58 -0800
From: Eric Rescorla <ekr(_at_)rtfm(_dot_)com>
Reply-To: EKR <ekr(_at_)rtfm(_dot_)com>
To: dcrocker(_at_)bbiw(_dot_)net
CC: ietf-dkim(_at_)mipassoc(_dot_)org
References: <20060319174949(_dot_)52D5AB87A(_at_)delta(_dot_)rtfm(_dot_)com> <441E38B3(_dot_)1080702(_at_)dcrocker(_dot_)net> 

[Re-sent after a unicast addressing error....]

Dave Crocker <dhc(_at_)dcrocker(_dot_)net> writes:


S 1.1.
   o  there is no dependency on public and private key pairs being
      issued by well-known, trusted certificate authorities,
This claims seems somewhat disingenuous.


It shouldn't. The statement is simply and directly accurate, as given.

The problem with the analysis you provided is that it conflates a dependency
that DKIM *does* have on the DNS, with the means that DNS might/will use to
provide acceptable service.

To pursue the line of concern you have raised, here are some simple questions:

1. Does DKIM specify anything that looks like a cert authority?

    Answer:  No.

2. Does DKIM require validity of the data produced by the DNS?

    Answer:  Yes.

3. Does the DNS provide reasonably good data validity today?

    Answer:  Yes

4. Is the current DNS vulnerable?

    Answer: Yes

5. Are CA's required to fix this?

    Answer:  Maybe, but maybe not.  Certainly that is the path being explored,
    planned on, and maybe even slightly deployed.  Other schemes might have been
    feasible, but they aren't what has been defined.

In other words, Eric,  the logic that goes from DKIM to a CA is rather
circuitous.  It contains some twists and choices.


Uh, sure, if you say so. The fact is that the document explicitly
suggests that it be secured via DNSSEC, so the path is nowhere
near as indirect as you suggest.



In fact if you are looking for the characteristic of craftiness that
is implied by the word disingenuous, then I'd be inclined to suggest
that it applies more to claiming that DKIM *does* use CAs than to
the claim that it does not.


Of course you would.

-Ekr


--

Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Fwd: EKR - Re: [ietf-dkim] Review of draft-ietf-dkim-base-00 (1)], Dave Crocker <=
Previous by Date:  [ietf-dkim] Slides for -base discussion this afternoon, Eric Allman
Next by Date:  [ietf-dkim] hearing both sides of the conversation, Dave Crocker
Previous by Thread:  [ietf-dkim] Slides for -base discussion this afternoon, Eric Allman
Next by Thread:  [ietf-dkim] hearing both sides of the conversation, Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]