ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits)

2006-07-05 16:25:13
from [Douglas Otis] [Permanent Link] 

On Jul 5, 2006, at 2:36 PM, Paul Hoffman wrote:


At 12:44 PM -0700 7/5/06, Douglas Otis wrote:
DKIM generally represents a domain wide entity. A trusted third party (TTP) establishes trust between two parties when both trust the third party. For DKIM, the TTP would be the signing domain verified by DNS.
This is completely wrong, and goes against nearly everything that this WG has been working on. The signing domain is *not* trusted. 

Does anyone other than Doug think that it is?
You have misunderstood what was being said. A signing domain can be a trusted first party, but unless DKIM becomes commonly used with third-party signing domains, a signing domain will not become a generally trusted third-party. As an example, imagine an entity "trustworthy-email-accreditations.com" issues keys where a public half is published within their DNS domain, and the private half is sent to senders that comply with their provisos. For EHLOs, "trustworthy-email-accreditations.com" could also offer A RRs in addition to DKIM key RRs. When "trustworthy-email- accreditations.com" becomes trusted for their vetting of email senders, they will have established themselves as a trusted-third- party signing domain. As I said, I don't think that is how most expect DKIM to be used. Barring that model of use, DKIM does not offer TTP services.
A DNS domain delegation says little about email related behaviors. In addition to establishing a real identity and exposure to litigation, the behavior of an entity is generally a major component of the trust established by a TTP. The information provided by DNS is that a signing domain (perhaps owned by an anonymous entity) was involved with the content of a message. While DNS offers trustworthy domain delegations involving anywhere from a few to hundreds of separate entities, DNS domain delegation says vanishingly little about email related interactions and behaviors. DKIM's use of DNS is little better than verifying the EHLO host name's IP address, except a DKIM signature survives beyond the first hop.
TTP services is simply not a normal component of either DKIM base or SSP. SSP provides for a level of repudiation, but name-path registration offers even greater DoS protections with similar level of repudiation when desired. 

-Doug



_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] DKIM Agenda Item Safer than SSP, Paul Hoffman
Next by Date:  Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Stephen Farrell
Previous by Thread:  Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Paul Hoffman
Next by Thread:  Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Stephen Farrell
Indexes:  [Date] [Thread] [Top] [All Lists]