On Wed, 2004-12-01 at 11:32, Dave Crocker wrote:
On 30 Nov 2004 17:54:00 -0800, Stephen Pollei wrote:when to comes to phish/fraud scenarios I don't think DK adds much value over just using spf. I have a two part reasoning for this assertion.
The purpose of the mailing list is for technical discussions to produce a specification for an encryption-based message-signing mechanism that can be used to hold an entity responsible for posting the message.
OK so did you read my technical criticisms of DK and suggesting that http://www.elan.net/~william/emailsecurity/meta_signatures.htm seems more interesting to me? Did you read where I criticized DK for being to coarse-grained and how that coarse-graininess might cause legal liability problems? IE you want to hold a person in a role accountable/responsible not a domain name which may or may not even denote a cohesive legal entity. Emails from yahoo and hotmail surely do not come from a cohesive agency -- it consists of people which even have competing business interests. I gave an real world sample event -- a phish about a bank; From which I showed that even a bank will not want to coarse-grain their signatures and thus a signature scheme should be able to be fine-grained or it will cause problems in the real-world set of problems digital signatures can address. The law and court cases about apparent/ostensible authority and digital signatures as they stand today probably mix in a way that is toxic for many real world organizations today. Actually they might not want to use either gpg keys or X.509 certificates as they stand today for some of those reasons. When wamu.com signs the public key cert for lisa_sue(_at_)wamu(_dot_)com they might want some kind of rdf descendant of foaf and saml in there so you a third part can not deny that they were told she was just the secretary in the PR department when they checked the signature on her email telling you :" Your mortgage has been sold, please send your future mortgage payments to caymen-bank.com instead." . It would boil down to: Did you check the signature? yes) then we *notified* you she was a Public Relations person, and didn't have power to effect or notify you of mortgage changes. You received email from peggy_lee(_at_)wamu(_dot_)com and checked her signature as well, in that you can see we used foaf2.5 and saml3.7 to tell you see could handle mortgages. Also it is banking standard practice endorsed by the Electronic Banking Security Trade Association and practiced by Chase Manhattan, and CitiBank among others. no) well a *reasonable* *person* knows that there is tons of email related fraud and you need to do *due* *diligence* on email received. Reiterate the stuff about standard practice.
It is always great fun to debate differences in paradigms, such as a route registration technique like SPF, versus a message signing technique like domainkeys.
It didn't intend a paradigm debate, nor particularly to have fun. I was very seriously trying to point out what kind of things I would like to see in a digital signature standard. Things that you can't get using other techniques. I am sorry if I also happened to point out that if you neuter the power inherent with-in a digital signature standard that it isn't likely to be much better or worse than some other approaches for a narrowly defined task. I'm sorry if you have some kind of sore spot from debating some other people with other points of views. You might also happen to notice that I do digitally sign my messages, and I support spf. I don't see it as a debate, but as both having their appropriate place. The only thing I don't see the real point of is putting weight behind a watered down signature standard like DK when it has pgp, IIM, S/MIME, META and yes even spf to compete among.
Hence, this line of debate and criticism is off topic.
The only criticism I have is of DK, not of digital signatures. I'd think technical criticism of various particular issues with the various signature initiatives would have been *spot* *on* topic for this list -- of course I'm new here, so maybe you have some other agenda here. Most technical places like weaknesses and shortcomings pointed out so the end result can be made stronger. If you believe that my criticism is out of place for this list, please tell me and I'll unsubscribe and refrain from posting here. -- http://dmoz.org/profiles/pollei.html http://sourceforge.net/users/stephen_pollei/ http://www.orkut.com/Profile.aspx?uid=2455954990164098214 http://stephen_pollei.home.comcast.net/ GPG Key fingerprint = EF6F 1486 EC27 B5E7 E6E1 3C01 910F 6BB5 4A7D 9677
signature.asc
Description: This is a digitally signed message part