ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits)

2006-07-05 12:46:47
from [Douglas Otis] [Permanent Link] 

On Jul 4, 2006, at 10:22 PM, Jim Fenton wrote:


Paul Hoffman wrote:

At 10:40 AM +0100 7/4/06, Stephen Farrell wrote:

#3 1.1, 2nd set of bullets. dkim *does* require a ttp - the DNS.
Better to say that dkim requires no *new* ttp.


I don't see DNS as a "third party" in the same sense as a CA for
certs. Yes, DNS has to work, but it isn't a third party (unless you 
want to count the root servers, I suppose).  By this logic, we
should also include the multiple third parties that run the routers
and all the rest of the infrastructure.
In my little PKI-riddled mind, the DNS is a TTP since it supplies the public keys and if/when DNSSEC were used, it starts to look quite like 
a PKI. The routers etc. won't ever really be supplying signed key
records. But if no-one else thinks the same, leaving as-is if of course 
right.


My brain has the same affliction as Stephen's in this department. The
keys have to be distributed somehow. The keys are not inherently
trusted. DKIM users trust the keys they get from the DNS. The DNS is
the trusted third party who hands out keys.


I'm also with Stephen on this.  I think it helps our credibility to
acknowledge the dependency on DNS, although the threat document has
already spelled that out in some detail.
DKIM generally represents a domain wide entity. A trusted third party (TTP) establishes trust between two parties when both trust the third party. For DKIM, the TTP would be the signing domain verified by DNS. To be a TTP, the signing domain would need to be known and trusted by verifier (the second party) for signing email-addresses of different domains (the first party) or this does not represent three parties. DNSSEC, except making a stronger verification of the signing domain, does not alter this model. Unless DKIM is expected to be commonly used with third-party signatures, it seems inappropriate to describe DNS as a TTP, nor does DNS represent a discrete entity or party. 

-Doug
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] CNAME's + multiple selector labels, Douglas Otis
Next by Date:  Re: [ietf-dkim] editorials and nits, John Levine
Previous by Thread:  Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Jim Fenton
Next by Thread:  Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Paul Hoffman
Indexes:  [Date] [Thread] [Top] [All Lists]