[ietf-dkim] Not exactly not a threat analysis

Douglas Otis dotis at mail-abuse.org
Mon Aug 15 14:49:14 PDT 2005 

On Aug 15, 2005, at 1:24 PM, Earl Hood wrote:

> On August 15, 2005 at 09:53, Douglas Otis wrote:
>
>
>> The term "responsible for the message" gives the impression of
>> authorship.  How about "accountable for permitting the submission of
>> the message (by an unknown author)"?
>>
>
> According to Webster, "responsible" and "accountable" are basically
> interchangeable.

With confusion regarding what is implied by the verification of the  
DKIM signature, DKIM proponents must be careful about making claims  
regarding content or authorship.  DKIM does not discern whether a key  
has been delegated, whether content has been reviewed, and whether  
users are limited to specific mailbox-addresses.  While various  
ancillary assertions regarding a mailbox-domain may mandate specific  
signing domains, DKIM must not make assurances regarding content or  
authorship, or how the message is processed.

While these two terms "responsible" and "accountable" are similar,  
"responsible" tends to connote involvement with content or  
authorship.  Whereas, "accountable" tends to connote being held  
accountable for their client's actions.  Much as parents are held  
accountable for their children's actions.  The child could still be  
considered responsible for their own deeds by the parent, but the  
parent must still bear the burden of any misdeeds.


> I think your second sentence hits a key point, "What form of
> responsibility does a signer take when it signs a message?".  Is it
> responsible for allowing the submission of the message?  Is it
> responsible for the contents of the message?  Both?


It may not be the content of the message that is abusive, but rather  
the number.  DKIM should be seen as establishing a hierarchy of  
accountability.  This hierarchy improves effectivity of abatement  
efforts by involving fewer entities.  Unlike S/MIME or OpenPGP, the  
resolution for accountability remains at the domain.  By limiting the  
resolution of accountability, the ability of DKIM to scale and enjoy  
wide deployment is greatly improved.  All efforts to include more  
than just the domain must be steadfastly resisted.


> Taking responsibility on the submission of a message is different
> than responsibility of its contents.


Said differently, being accountable for the submission of messages is  
different than being responsible for the message's content.  Not  
caring about the message's content still allows DKIM to offer great  
value.


> BTW, as DKIM is currently defined, a DKIM signature may not be by the
> party that allowed initial submission of the message.  DKIM either
> needs stronger binding semantics, or it needs to limit when signing
> can be done.

Anytime a message is signed, message accountability should be  
considered anew. The chain of accountability (or trust) is from the  
signer to the recipient.  The signing domain is held accountable for  
those messages it submits, who in turn should hold their clients  
accountable messages reported as abusive.  DKIM establishes a clear  
hierarchy of accountability.

Adding multiple signatures would not be as effectives as a general  
rule of not resigning the message when possible.  It seems rather  
foolish to be placing these monkeys on your back.

-Doug

More information about the ietf-dkim mailing list