On Aug 4, 2005, at 3:22 PM, Arvel Hathcock wrote:
I'm still a little fuzzy on what "threat analysis" means (sorry,
I'm a newb). It seemed to be two things - (a) what is the precise
security problem DKIM is attempting to address and (b) what are all
the attack vectors and vulnerabilities associated with DKIM.
There are many threats analysis documents to use as examples, but
even Steve Bellovin admitted that the IETF has not actually
documented what it means by "threats analysis". Like the security
considerations section of drafts, this needs to transition from IETF
expected practice to IETF formal practice. DKIM just happens to be
caught in the middle of this organic process.
I like the way you have phrased both a and b.
Assuming (a) is correct, here's all I have to offer so far: Email
today is not accountable. The absense of accountability is an
implicit threat to security. DKIM proposes to increase the level
of accountability within email by allowing willing signers to
assert some degree of responsibility for an email message. The
extent to which this accountability is asserted will lower the
level of non-accountable email proportionally.
As for the benefits of DKIM, I accept as a priori true that it is
better to know something than to know nothing. DKIM's ability to
convey something about the identity of the signer and integrity of
the message content is a non-ZERO positive gain in knowledge.
Therefore, it has benefit in that regard if in no other. If you
hold that having some understanding of who is attempting to contact
you has no value, then you can switch off your home phone's caller-
id, tape over the peep-hole in your front door, and oh yeah, strip
out the FROM header in all your emails with a content-filter :)
If the question is "Ok, but what can be DONE with that knowledge"
one could answer with the reputation/accreditation mantra. But
this is really a separate question than "does DKIM provide value".
But this is where I believe the disconnect occurs. I believe the
participants of the security area understand in very clear terms the
issues about authentication, authorization, reputation and
accreditation. I also believe they have a very good idea what it is
DKIM is designed to do, and that their insistence that these
questions be answered is for our benefit and not theirs.
To answer a, I believe we are better served simply by giving a
straight-forward answer: the purpose of DKIM is to prevent forgery of
email identities in the headers of email messages.
-andy