[ietf-dkim] Not exactly not a threat analysis
dotis at mail-abuse.org
Mon Aug 15 14:49:14 PDT 2005
On Aug 15, 2005, at 1:24 PM, Earl Hood wrote:
> On August 15, 2005 at 09:53, Douglas Otis wrote:
>> The term "responsible for the message" gives the impression of
>> authorship. How about "accountable for permitting the submission of
>> the message (by an unknown author)"?
> According to Webster, "responsible" and "accountable" are basically
With confusion regarding what is implied by the verification of the
DKIM signature, DKIM proponents must be careful about making claims
regarding content or authorship. DKIM does not discern whether a key
has been delegated, whether content has been reviewed, and whether
users are limited to specific mailbox-addresses. While various
ancillary assertions regarding a mailbox-domain may mandate specific
signing domains, DKIM must not make assurances regarding content or
authorship, or how the message is processed.
While these two terms "responsible" and "accountable" are similar,
"responsible" tends to connote involvement with content or
authorship. Whereas, "accountable" tends to connote being held
accountable for their client's actions. Much as parents are held
accountable for their children's actions. The child could still be
considered responsible for their own deeds by the parent, but the
parent must still bear the burden of any misdeeds.
> I think your second sentence hits a key point, "What form of
> responsibility does a signer take when it signs a message?". Is it
> responsible for allowing the submission of the message? Is it
> responsible for the contents of the message? Both?
It may not be the content of the message that is abusive, but rather
the number. DKIM should be seen as establishing a hierarchy of
accountability. This hierarchy improves effectivity of abatement
efforts by involving fewer entities. Unlike S/MIME or OpenPGP, the
resolution for accountability remains at the domain. By limiting the
resolution of accountability, the ability of DKIM to scale and enjoy
wide deployment is greatly improved. All efforts to include more
than just the domain must be steadfastly resisted.
> Taking responsibility on the submission of a message is different
> than responsibility of its contents.
Said differently, being accountable for the submission of messages is
different than being responsible for the message's content. Not
caring about the message's content still allows DKIM to offer great
> BTW, as DKIM is currently defined, a DKIM signature may not be by the
> party that allowed initial submission of the message. DKIM either
> needs stronger binding semantics, or it needs to limit when signing
> can be done.
Anytime a message is signed, message accountability should be
considered anew. The chain of accountability (or trust) is from the
signer to the recipient. The signing domain is held accountable for
those messages it submits, who in turn should hold their clients
accountable messages reported as abusive. DKIM establishes a clear
hierarchy of accountability.
Adding multiple signatures would not be as effectives as a general
rule of not resigning the message when possible. It seems rather
foolish to be placing these monkeys on your back.
More information about the ietf-dkim