[ietf-dkim] DKIM Threat Assessment v0.02 (very rough draft)

[Arvel Hathcock]

> Am I accurate in my summation?

Yes.  This is my understanding of DKIM.

-- 
Arvel


----- Original Message ----- 
From: "Earl Hood" <earl at earlhood.com>
To: <ietf-dkim at mipassoc.org>
Sent: Tuesday, August 09, 2005 4:32 PM
Subject: Re: [ietf-dkim] DKIM Threat Assessment v0.02 (very rough draft)


> On August 9, 2005 at 13:13, Dave Crocker wrote:
>
>> The intended thought was that having ANY accountable entity -- where the
>> accountability is meaningful -- improves the likely validity of the other
>> identity fields.
>>
>> So, no, I had not intended to make direct validation of From or Sender a 
>> prim
>> ary
>> goal.
>
> If I understand your goals correctly, you see DKIM mainly defining the
> domain owner the accountable entity for messages sent from that domain
> versus the author/sender of the message.  This implies that the domain
> owner has some effective "policing" mechanism of the messages that
> come from that domain regardless of who the author/sender is.
>
> The author/sender has no direct accountability, or verifiability,
> of their messages, with the exception of whatever domain-defined
> accountability mechanism may be in place.  I.e.  The author/sender
> is only accoutable to the owner of the domain it sends message from.
>
> If any messages from a domain are abusive in nature (e.g. phishing),
> it is the responsibility of the respective domain owner to address
> the offending authors/senders, assuming that not doing so could get
> the domain's reputation tarnished.
>
> Since end user recipients do not need DKIM-aware MUAs, determining
> which domains are "abusive" are the responsibility of receiving
> domain owners.
>
> Am I accurate in my summation?