Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits)
2006-07-06 10:08:51
On Jul 5, 2006, at 6:35 PM, Stephen Farrell wrote:
Douglas Otis wrote:
From your reference:
---
In cryptography, a trusted third party (TTP) is an entity which
facilitates interactions between two parties who both trust the
third party; they use this trust to secure their own interactions.
TTPs are common in cryptographic protocols, for example, a
certificate authority (CA).
---
While DNS associates a key with a domain name, there should be no
expectation this domain name represents a tangible entity or
offers meaningful recourse.
Irrelevant.
Setting expectations within the base draft remains important, where
the current language seems balanced. General expectations related to
typical trusted third-party services usually resolve an identifier to
something tangible. This is not a property of DNS. Describing DNS
as a trusted third-party and equivalent to the usual trusted
certificate authorities produces inappropriately high expectations.
There are thousands of entities involved in these associations,
where the basis is often limited to just the domain name itself.
It is difficult to consider an amalgam of often anonymous entities
a "trusted third party" for "securing" email interactions. Use of
DNS by DKIM certainly falls short of the expectations of a TTP as
set by Certificate Authorities or the example given of a notary
public. For DKIM to offer security, a separate assessment of the
DKIM domain name should be made (likely by a TTP). In that sense
of trust or "securing" interactions, DNS fails this definition of
TTP for email in my view.
Perhaps you haven't been involved in the fairly tedious exercise of
engineering one of these, e.g. when I worked for a large German
company we made an internal PKI where every building supervisor was
part of the TTP (mostly as RAs, as it happened). At the time there
were O(400,000) employees, and about O(1) private keys, so, like
everyone else, we kind of got used to the idea that a TTP needn't
be monolithic.
While a service need not monolithic, the criteria established for the
RA in your example likely was based upon tangible entities. If there
was a problem, there would also be meaningful recourse. DNS domain
delegations and email interactions are orthogonal from a trust
standpoint. While DNS could be called at TTP with respect to domain
delegations (to and by often anonymous entities), with respect to
email interactions, trust is missing. When DKIM is based upon DNS
keys, either pre-arranged acceptance (white-listing), or some other
trusted third-party remains essential for secure email interactions.
Main point is that there *is* an accepted way to use this term, and
yours is not it.
For DKIM, the DNS is a TTP.
The use of this TTP term with respect to DKIM and DNS creates false
expectations in regard to what DKIM signature verification might
imply. While technically this term could be applied, it remains
misleading.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), (continued)
- Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Douglas Otis
- Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Stephen Farrell
- Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Douglas Otis
- Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Stephen Farrell
- Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits),
Douglas Otis <=
- Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Eliot Lear
- Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Douglas Otis
- Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Stephen Farrell
- Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Hector Santos
- Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Douglas Otis
- Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Eliot Lear
- Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Douglas Otis
- Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Dave Crocker
- Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Stephen Farrell
- RE: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Bill.Oxley
|
|
|