[ietf-dkim] draft-fenton-dkim-threats-00

Jim Fenton fenton at cisco.com
Thu Oct 6 10:32:49 PDT 2005 

Douglas Otis wrote:

>
> Avoiding repudiation was not heeded within the DKIM draft abstract  
> that explains intent. : (

I really don't understand the above statement.

>
> Clarity is also lacking within the threat document regarding what is  
> meant by the term identity or address.  I assume without "IP"  
> prefixing address, address or identity means a header's mailbox  
> address such as RFC2822 From or Sender.

That is correct.  Let me think about where we might put a clarification 
on that.


> A reputation mechanism can be safely established to accrue behavioral  
> information of the signer.  How can reputation be extended to include  
> "addresses" and "identities"?  What protection is possible without  
> reputation assessments?
>
> A DKIM signature in fact _does_ guarantee the accountability of the  
> signer.  It simply does not guarantee their behavior.  That is why  
> reputation in the form of white-lists, accreditation, or reputation  
> services is _required_.  Reputation is _not_ an enhancement.

The threat analysis characterizes the bad acts as the spoofing of email 
addresses.  It does not consider bad behavior to be one of the bad acts 
that we're guarding against.  Perhaps that is unclear from the wording 
"is not effective against the use of  addresses they control."  What I 
mean to say is that the use of addresses is out of scope for DKIM, 
rather than that DKIM is trying to solve that problem but doesn't manage to.

>
> By attempting to extend DKIM to include the protection of "addresses"  
> in the generic sense, there is danger entering into a quagmire.   
> Nothing can be accrued with respect to the "address" in terms of bad  
> behavior without implying the signer is also not trustworthy.  This  
> creates a serious paradox.
>
> Only when the "address" and the signer are the same, would it be  
> possible to safely make assertions of behavior, but then of course  
> extending assertions of behavior to the "address" would not be  
> required.  I see little within the threat analysis that clarifies  
> this limitation.  I am not comfortable with promises that "address"  
> protection is limited to just repudiation.

I would go further than that to say that even when the "address" and 
signer are the same, it still isn't possible to safely make assertions 
of behavior with DKIM.  You are correct that reputation and/or 
accreditation systems would be required to do so, but that this analysis 
(and the WG charter we have been considering) do not deal with that part 
of the problem.

-Jim

More information about the ietf-dkim mailing list