On Jul 7, 2006, at 12:02 PM, Stephen Farrell wrote:
Douglas Otis wrote:
Indeed DNS does not offer a reasonable method to exclude bad
actors (secure), where a trusted third-party does.
Doug is again insisting on grappling gamely with the wrong end of
the stick.
The rest of the world however knows that a ttp in an Alice/Bob
crypto protocol is any entity they trust who can hurt them by
misbehaving.
Agreed. However trust established with a third-party is typically
based upon their vetting of an identity against something tangible.
When there is bad behavior, confirmed tangible identifiers provide a
means for accountability. As a result, bad actors are more readily
excluded to better secure interactions. There is also accreditation
by an trusted third party that holds the entity accountable by de-
listing. There is also reputation that holds the entity accountable
by listing. Accreditation or reputation could also be considered
trusted third-parties but doe not impose a need to offer tangible
identifiers related to the domain name. Vetting the identity against
something tangible provides more pro-active protections, assuming the
recipient or the CA makes the effort to correlate these identifiers.
For dkim the dns is such a beast since it can supply Bob with the
wrong keys for the wrong domains. I think a sufficient number of
people have agreed with the above that we no longer need debate the
fact.
The concern is the vetting of identities against something tangible.
This issue of trusted vetting by a third-party is completely separate
from the integrity of DNS itself. When Bob can easily reappear as
another domain name without any confirmed tangible identifiers,
securing email interactions away from bad actors remains futile.
Without some trusted third-party, DNS will not offer a reasonable
means to exclude bad actors. Perhaps whois could someday perform
this role as a trusted third-party, or some other third-party service
could be used, such as a trusted CA, or accreditation et al perhaps.
DNS simply does not ensure tangible identifiers are associated with
the controlling entity of the domain name. DKIM provides a verified
domain domain that can be checked against a trusted third-party
service. Do not confuse DNS as being analogous to a TTP service
however.
Otherwise we should get back to the point, which was put best by
Mike I think - should base mention the dns' role as a ttp at all,
and if so how?
No. Not at all. It would be misleading.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html