ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] New Issue: overview document does not mention message validity

2008-03-18 20:56:56
Hmmm.

1.  Abstract and 1. Intro cite data integrity.  Does there need to be more 
detail explaining that cryptographic authentication provides data integrity too?

1.  1.1 Scope lists things DKIM does not deal with, including a replay attack. 
Does the text really need more discussion than that?

Here's core question with this sort of overview:  It can include too much 
tutorial about basic technology, rather than focusing on the specifics of the 
technology it is meant to describe.  Some pedagogy is needed, but how much?

d/


J D Falk wrote:
Suggested addition to section 2, though I'm not entirely certain that
"validity" is the correct word to use here:

2.3.  Establishing Message Validity

   Though man-in-the-middle attacks are historically rare in email,
   it is nevertheless theoretically possible for a message to be
   modified during transit.  An interesting side effect of the
   cryptographic method used by DKIM is that it is possible to be
   certain that a signed message (or, if l= is used, the signed
   portion of a message) has not been modified.  If it has been
   changed in any way, then the message will not be verified
   successfully with DKIM.

   As described above, this validity neither lowers nor raises the
   level of trust associated with the message.  If it was an
   untrustworthy message when initially sent, the verifier may be 
   certain that the message will be equally untrustworthy upon 
   receipt and successful verification.

--
J.D. Falk
Receiver Products
Return Path 

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html


-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html