ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits)

2006-07-07 15:26:07
from [Douglas Otis] [Permanent Link] 

On Jul 7, 2006, at 1:59 PM, Eliot Lear wrote:
DNSSEC improves the integrity of the delegation process and exchange of resource records. It does not improve upon extremely poor identification vetting that might not even be available to the recipient. The untrustworthy identification associated with DNS means it is very misleading to describe DNS as a trusted third- party analogous to a trusted CA.
Every problem you've mentioned with DNS can occur with CAs. Heck I run my own. What makes you think you can trust me?!
The key term here is trusted. You may offer CA services, but competence and general acceptance will determine whether the service becomes and remains trusted.
All of this having been said, your use of the words "secure email interactions" overstates the purpose of the method.
This comment used terminology offered by the definition provide by Stephen. Indeed DNS does not offer a reasonable method to exclude bad actors (secure), where a trusted third-party does.
Reiterating, every problem you state really has nothing to do with DNS but with registration.
Exactly. How is the registration of domain names separate from the delegation of domain names? Can a bad actor by any other domain name still be held accountable? Unfortunately, no.
That problem is universal, regardless of mechanism. To be fair CAs have a few more gizmos to play with, but the notion of delegation and registration remains the same.
Those that are competent at vetting identities against tangible elements will become and remain trusted. With DNS, there is a notable lack of choice in the matter of trust, and currently every reason to consider the DNS registration process itself is not held accountable. Perhaps the lack of accountability with domain name registration is due to the lack of choice. It would be very misleading to declare DNS replaces a trusted CA, for example. DKIM verifies a domain name that can be readily checked against various lists and trusted third party services. DNS and its associated registration process should not be trusted at this time to have vetted identities against tangible elements when securing interactions and establishing accountability. 

-Doug
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Douglas Otis
Next by Date:  [ietf-dkim] dots in selectors, Eric Allman
Previous by Thread:  Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Eliot Lear
Next by Thread:  Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]