Re: [ietf-dkim] DKIM in the MUA should not be the goal, just a side benifit
2006-04-19 12:21:26
On Apr 19, 2006, at 1:33 AM, Stephen Farrell wrote:
Douglas Otis wrote:
When a large portion of a country's population goes on vacation for 5
Exactly what portion is that?
What portion of the population would be enough to matter?
"The expected transit time of a message from originator to recipient"
refers to transit latency where originators and recipients are
typically people. A measure of "normal" or the mean of person to
person email message transit latency will be within the realm of a
few days at most. Concerns related to how long a key should remain
available to protect this transit period must consider typically
induced latencies due to common human behavior.
While machine to machine latencies are often measured in seconds, but
still equipment failure recovery often gives up after 5 days.
Transports beyond SMTP listed as being protected by DKIM carry the
message to the recipient. These transports may suffer typical spikes
in latency when a person is on vacation. Unusual behaviors will not
be attractive, as the bad actor would have trouble knowing when to
exploit this behavior. The question of expected transit time
requires the consideration of what is "typical" human behavior. The
DKIM charter appears to ask the question of expected transit times of
messages between humans. The norm is not interesting, but social
behavior is predicable.
The WG may conclude the mailbox following a vacation will not be
assured protection based upon their inadequate recommendations. This
would be unfortunate. A criminal could easily take advantage of such
poor recommendations and run phishing expeditions during typical
vacation periods. People, being social, often exhibit predictable
behaviors that criminals often exploit. Going on vacation is a
classic example. A person coming back from vacation finding urgent
notices from their bank, who also learns messages do not verify after
a few days, would be exposed to possible exploits that deliberately
spoof such messages knowing many other valid messages will also not
verify.
In a quote from the Cornell page:
"In Europe, vacation time often occurs in August--all of August! A
European Union directive prescribes four weeks annual leave for all
employees (EC 93/104 Art.7(1))."
Average Number of Vacation Days Per Year
Italy 42 days
France 37 days
Germany 35 days
Brazil 34 days
United Kingdom 28 days
Canada 26 days
Korea 25 days
Japan 25 days
U.S. 13 days
Source: World Tourism Organization (WTO).
I bet a beer that there are more Swedes that have an email address
they never or sporadically read than there are Swedes that
regularly read mail except for
during their supposed 5-week offline. But that's as bogus as your
assertion, since its also based on no data.
At this point in time, until some data supports the duration of the
typical spikes in latency due to vacations, assuming the WG decides
to protect recipients over their vacation, the recommendations made
in Section 5.2 in the base draft should only explain what the key
availability duration should cover, and not indicate that 7 days is
okay. In my view, 7 day key availability is not adequate to protect
emails to the recipient at the MUA. By assuring protection at the
MUA, DKIM can offer protection once the sender starts signing their
messages, and the recipient obtains an email client able to verify
DKIM signatures. No other dependency would slow DKIM deployment and
use. There would be no delay induced waiting for the deployment
results header handling, for example.
If you've got a real distribution, then that'd be interesting.
Deriving/divining a figure of 6.26 days without that isn't usefully
more interesting. Maybe John would like ASRG to include this as
part of their work.
The standard deviation figure was mentioned to explain that the
nature of the distribution of the data must be considered before
making conclusions about what a standard deviation implies. If the
WG decides to protect individuals over their vacation, then the
duration of these vacations could be assessed using statistics.
Looking at POP polling intervals and running statistics on this
information as a whole will overwhelm the information related to
vacations. Looking for periods longer than a few days of no polling
might provide suitable information. With the US typically taking
short vacations, the more interesting data would also likely be found
elsewhere.
Again, all this is an aside for us. There's no required correlation
between x= and key life cycles. Please stop flogging that dead horse.
The x= parameter is a totally separate issue. Where have I conflated
the two?
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [ietf-dkim] DKIM in the MUA should not be the goal, just a side benifit, (continued)
- Re: [ietf-dkim] DKIM in the MUA should not be the goal, just a side benifit, Douglas Otis
- Re: [ietf-dkim] DKIM in the MUA should not be the goal, just a side benifit, Stephen Farrell
- Re: [ietf-dkim] DKIM in the MUA should not be the goal, just a side benifit, Lyndon Nerenberg
- Re: [ietf-dkim] DKIM in the MUA should not be the goal, just a side benifit, Stephen Farrell
- Re: [ietf-dkim] DKIM in the MUA should not be the goal, just a side benifit, Lyndon Nerenberg
- Re: [ietf-dkim] DKIM in the MUA should not be the goal, just a side benifit, Stephen Farrell
- [ietf-dkim] Collecting SMTP delivery data., Lyndon Nerenberg
- Re: [ietf-dkim] Collecting SMTP delivery data., Hector Santos
- Re: [ietf-dkim] DKIM in the MUA should not be the goal, just a side benifit, Douglas Otis
- Re: [ietf-dkim] DKIM in the MUA should not be the goal, just a side benifit, Stephen Farrell
- Re: [ietf-dkim] DKIM in the MUA should not be the goal, just a side benifit,
Douglas Otis <=
- Re: [ietf-dkim] DKIM in the MUA should not be the goal, just a side benifit, Stephen Farrell
- Re: [ietf-dkim] DKIM in the MUA should not be the goal, just a side benifit, Douglas Otis
- Re: [ietf-dkim] DKIM in the MUA should not be the goal, just a side benifit, Michael Thomas
- Re: [ietf-dkim] DKIM in the MUA should not be the goal, just a side benifit, Douglas Otis
RE: [ietf-dkim] x= lets senders expire responsibility, Hallam-Baker, Phillip
RE: [ietf-dkim] x= lets senders expire responsibility, Bill.Oxley
|
|
|