dotis at mail-abuse.org
Thu Oct 6 12:08:35 PDT 2005
On Oct 6, 2005, at 10:32 AM, Jim Fenton wrote:
> Douglas Otis wrote:
>> Avoiding repudiation was not heeded within the DKIM draft
>> abstract that explains intent. : (
> I really don't understand the above statement.
The DKIM abstract makes similar claims and _states_ repudiation is
the form of protection offered. It will be very difficult to defend
that position in my view.
>> A reputation mechanism can be safely established to accrue
>> behavioral information of the signer. How can reputation be
>> extended to include "addresses" and "identities"? What
>> protection is possible without reputation assessments?
>> A DKIM signature in fact _does_ guarantee the accountability of
>> the signer. It simply does not guarantee their behavior. That
>> is why reputation in the form of white-lists, accreditation, or
>> reputation services is _required_. Reputation is _not_ an
> The threat analysis characterizes the bad acts as the spoofing of
> email addresses. It does not consider bad behavior to be one of
> the bad acts that we're guarding against. Perhaps that is unclear
> from the wording "is not effective against the use of addresses
> they control." What I mean to say is that the use of addresses is
> out of scope for DKIM, rather than that DKIM is trying to solve
> that problem but doesn't manage to.
Your language seems to miss an aspect with respect to reputation at
least. Not that DKIM directly prevents bad behaviors which includes
the spoofing of email addresses, it is who does DKIM hold
accountable? Mailbox-addresses should be declared as "unprotected"
with a possible exception of where a domain asserts they sign all
their own mail. How this assertion is made and applied is a
different issue for later. Within this limitation as a means to
avoid the misapplication of reputation, it should be safe to claim
some protection by way of repudiation.
>> By attempting to extend DKIM to include the protection of
>> "addresses" in the generic sense, there is danger entering into a
>> quagmire. Nothing can be accrued with respect to the "address"
>> in terms of bad behavior without implying the signer is also not
>> trustworthy. This creates a serious paradox.
>> Only when the "address" and the signer are the same, would it be
>> possible to safely make assertions of behavior, but then of
>> course extending assertions of behavior to the "address" would
>> not be required. I see little within the threat analysis that
>> clarifies this limitation. I am not comfortable with promises
>> that "address" protection is limited to just repudiation.
> I would go further than that to say that even when the "address"
> and signer are the same, it still isn't possible to safely make
> assertions of behavior with DKIM. You are correct that reputation
> and/or accreditation systems would be required to do so, but that
> this analysis (and the WG charter we have been considering) do not
> deal with that part of the problem.
I agree with this to some extent, however the threat analysis should
consider what form of protection is enabled by DKIM. Details of the
implementation of reputation are likely best handled by a different
WG. Nevertheless, there must be some clarity regarding what form of
protection is being enabled by DKIM. Remaining silent on this issue
has not added the requisite clarity. I see this document providing
greater value when these issues have been clarified. DKIM only
supports repudiation, and reputation except when attacked? This
seems to be points needing better clarification.
More information about the ietf-dkim