ietf-mailsig
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Comments on draft-allman-dkim-base-00.txt

2005-08-02 20:49:07
from [Eric Rescorla] [Permanent Link] 

Scott Kitterman <scott(_at_)kitterman(_dot_)com> wrote:




-----Original Message-----

From: owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org

[mailto:owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Eric 
Rescorla
Sent: Tuesday, August 02, 2005 9:35 PM
To: Jon Callas
Cc: ietf-mailsig(_at_)imc(_dot_)org; hartmans-ietf(_at_)mit(_dot_)edu; 
housley(_at_)vigilsec(_dot_)com
Subject: Re: Comments on draft-allman-dkim-base-00.txt



Jon Callas <jon(_at_)callas(_dot_)org> wrote:



We put spam and phishing last, and identity protection first, for the
exact reasons that you stated at the first MASS BOF:  these are social
problems, and do not lend themselves to a purely technical solution.

We consider DKIM to be an authentication foundation for accreditation,
reputation and other authorization services. Presently, there is not a
good, reliable mechanism to build these on other than IP address. DKIM
uses digital signatures to provide that foundation.


You can't ignore the fact that the reason people are interested
in this is as part of a spam/phishing filtering system. In
such a system, the value of reducing identity forgery is
primarily to enable whitelisting, which has the purpose of
reducing false positives. So, it needs to be asked whether that
is a useful technique.


That may be true from the receiver's perspective.  From the signer/sender's
perspective the primary value of reducing identity forgery is defensive.  As
a sender, what I want is for the forger/spammer to use some domain other
than mine or the ones I'm responsible for.  If signing with DKIM and
publishing a policy saying that all messages are signed with DKIM provides a
sifficent deterrent for the forger/spammer to go elsewhere, then from the
sender's perspective it's a victory.  It's the flip side of the same coin.


I see your point but I don't consider this to really be the important
factor. The primary cost to the (alleged) sender of forged spam is 
the cost of processing bounces--but there are techniques to mitigate
this that are less expensive than DKIM. The situation with phishing
is a bit different in that it's truly of some value to avoid having
mail forged as e.g., ebay.com. But in the face of the level of social
engineering that goes on here (3bay.com, etc.) I would want to see
some real data and analysis that indicates that stopping this would be likely
to be a big improvement.

-Ekr
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Comments on draft-allman-dkim-base-00.txt, Hallam-Baker, Phillip
Next by Date:  Re: Comments on draft-allman-dkim-base-00.txt, domainkeys-feedbackbase02
Previous by Thread:  RE: Comments on draft-allman-dkim-base-00.txt, Scott Kitterman
Next by Thread:  Re: Comments on draft-allman-dkim-base-00.txt, domainkeys-feedbackbase02
Indexes:  [Date] [Thread] [Top] [All Lists]