Steve Atkins <steve(_at_)wordtothewise(_dot_)com> wrote:
On May 30, 2011, at 3:23 PM, Murray S. Kucherawy wrote:
or at least the chain-of-trust capability, but no proof that the
increased risk is worth the increased gain.
Chain of trust is a somewhat different thing, and could likely be
implemented with little, if any, increased risk in the case where the
MLM is trusted (for some meaning of the word that probably boils down
to manual whitelist or positive reputation of the MLM operator) by the
recipient.
The MLM signing the re-sent message, including an A-R header or some
slight variant, is the obvious way. I don't think there's much gain to
be had there, but it can be done with little effort and little risk.
Chain of trust is always an appealing model. Unfortunately, it hasn't been
used successfully over the open Internet. The closest we are coming to having
an example of its working is DNSSec, which actually has a very, very
constrained model and relatively short chain. It's utility as a demonstration
of success is also very new. It's not a 'complete' example.
There is a tendency to believe that operational changes are preferred over
protocol changes. That's essentially the difference between formulatng a model
of trusting the sequence of message handlers, versus devising an authentication
technique that survives the sequence of handlers.
Unfortunately, operational changes for security tend to make a more fragile
model.
d/
--
Dave Crocker
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html