ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Delegated signatures in real life

2006-08-30 11:58:18
Oddly enough end user signatures are easy precisely because of the reasons John 
states.

You have to implement key management and the key management can talk to the dns.

XKMS solves these problems wonderfully. The corner cases are the ones in 
between. There is just enough effort required to be a PITA but not enough to 
justify a new infrastructure.

On the admin side where I depart from many in this group is the level of 
tollerance I have for convoluted admin procedures. First as a security 
specialist my experience is they screw up in insecure ways. Second not being a 
paid consultant I see no reason to tolerate high admin overhead.

The deployment scenarios that interest me these days are deployments in areas 
like afghanistan or iraq, places I have no intention of making site visits to, 
I am out of that sort of thing these days.


Sent from my GoodLink Wireless Handheld (www.good.com)

 -----Original Message-----
From:   John Levine [mailto:johnl(_at_)iecc(_dot_)com]
Sent:   Wednesday, August 30, 2006 07:37 AM Pacific Standard Time
To:     ietf-dkim(_at_)mipassoc(_dot_)org
Cc:     ietf-dkim(_at_)kitterman(_dot_)com
Subject:        Re: [ietf-dkim] Delegated signatures in real life

In addition, I would also note that it is extremely easy in a group like 
this to lose track of how non-technical many domain owners are today. 

Right, and that means that they use someone else to provide their
mail service.

Keep in mind that DKIM, unlike SPF, requires the active participation
of whoever runs your outgoing mail server to apply signatures, unless
you are enough of a weenie to run a signing engine in your MUA and do
your own key management.  For the vast majority of non-technical
users, their ISP or hosting company's MTA will apply its own
signature, and that will be good enough.  Indeed, it will probably be
better than a tiny domain's own signature, since whatever formal or
informal reputation systems recipients use are much more likely to
have entries for the ISP than for a tiny domain that sends 12 messages
a week.

I suppose it is hypothetically possible that providers will upgrade
their MTAs to support per-domain DKIM signing and out of perverse
hostility won't offer the DNS support for it.  That has never
impressed me as a scenario likely enough to be worth inventing a new
mechanism with unknown security problems that has to be implemented by
all DKIM recipients.

R's,
John

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html