Re: Want a BoF at IETF 62?


ned(_dot_)freed(_at_)mrochek(_dot_)com writes:

   I've asked this before, and I'll ask it again: what
   problem does that solve? "Good enough" that doesn't
   solve real world problems is not "good" or "enough".


It provides a sufficient basis to deploy a domain-level message 
authentication
system.

Of course this is not, in and of itself, capable of addressing the spam
problem, since spammers will simply register random domains with whatever
credentials they need. But this issue of what the identity the message is 
bound
to actually means arises in all signature schemes. What this scheme has that
the end to end proposals do not is the ability to be deployed on top of
existing infrastructure.


You're sidestepping my question: how do you quantify "good
enough"? This seems highly dependent on the actions that a
receiving domain takes upon receipt of a signed piece of
mail. The most naive thing I can think of doing is
highlighting signed mail as to whether it was authorized
(green) or not (red). In fact, I do this today with
Evolution with a couple of input filters for IIM. For that
to be satisfactory for your average user, the green-red
ratio must be *really* high, otherwise clueless users are
going to complain and make a worse situation for their ISP
or employer. "Good enough" here has a fairly high barrier.

But feel free to tell me other use scenarios where "Good
enough" requires far, far lower breakage rates. I'm all for
not letting the best be the enemy of the good, but you have
to know friend from foe before you do that.

This in turn means that we need to start considering how to attach meaning to
domain identities sooner rather than later, e.g. by devising some form of
accreditation mechanism. Believing that signature schemes will widely deploy
when the signatures they produce have no meaning is a fantasy, plain and
simple. So, while the signature and accreditation problems are in some
sense separate, they both have to be solved before we'll have something
useful. And this is also something that's missing from the current
charter.


Do you see any value in the home domain authorizing a piece
of mail sent from it? That is, do you think that problem is
even worth solving? With IIM, you don't _have_ to perform
the KRS check, after all -- it could be used purely as a
means of identifying the sender for use by a third party.
And again, for survivability what would be "good enough"?
When would receivers just throw up their hands and say
"broken protocol; ignore"?

                  Mike

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Want a BoF at IETF 62?, Russ Housley Re: Want a BoF at IETF 62?, ned . freed Re: Want a BoF at IETF 62?, Andrew Newton Re: Want a BoF at IETF 62?, Russ Housley Re: Want a BoF at IETF 62?, Andrew Newton Re: Want a BoF at IETF 62?, Sam Hartman Re: Want a BoF at IETF 62?, Andrew Newton Re: Want a BoF at IETF 62?, Sam Hartman RE: Want a BoF at IETF 62?, Hallam-Baker, Phillip Re: Want a BoF at IETF 62?, Michael Thomas <= Re: Want a BoF at IETF 62?, ned . freed Re: Want a BoF at IETF 62?, Michael Thomas Re: Want a BoF at IETF 62?, ned . freed Re: Want a BoF at IETF 62?, Michael Thomas Re: Want a BoF at IETF 62?, ned . freed Re: Want a BoF at IETF 62?, Michael Thomas Re: Want a BoF at IETF 62?, ned . freed Re: Want a BoF at IETF 62?, Michael Thomas Re: Want a BoF at IETF 62?, ned . freed Re: Want a BoF at IETF 62?, Jim Fenton

Previous by Date:	RE: Want a BoF at IETF 62?, Hallam-Baker, Phillip
Next by Date:	Re: Want a BoF at IETF 62?, Jim Fenton
Previous by Thread:	RE: Want a BoF at IETF 62?, Hallam-Baker, Phillip
Next by Thread:	Re: Want a BoF at IETF 62?, ned . freed
Indexes:	[Date] [Thread] [Top] [All Lists]