[ietf-dkim] Not exactly not a threat analysis
ned.freed at mrochek.com
Wed Aug 24 19:40:12 PDT 2005
> > Sorry, I did not mean that the exact policies and enforcement rules
> > of accountability should be defined, but what is meant by being an
> > "accountable identity".
> That's exactly what we shouldn't define.
> > When I see the term "accountable" all kinds of implications pop in my
> > head, including legal ones. For example, if I sign a message, could
> > I then be prosecuted if the message is involved in criminal activity?
> How the heck should we know? We're network engineers, not politicians.
> For that matter, I'm a network engineer and a politician and I don't
> know either. It entirely depends on what the law says, what the message
> says, under what circumstances you signed the message, and a dozen other
> things. Law is not software, and attempts to treat it as software never
> produce useful results.
"Never" is a tough word to live up to, but I actually think it might apply
> > To me, something like "authenticating the originating domain identity"
> > provides a clear indication of what is being identified without getting
> > into the murky area of "accountability".
> That would be fine if that's what DKIM did, but it's not. It allows a
> domain to say "we're accountable for this message" without it having to
> claim to be the orignator. For reasons already hashed out at great
> length, that's an essential difference.
Right again. There's nothing murky about the attachment of an identity to a
specific message that DKIM provides.
More information about the ietf-dkim