[ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]

Fri Jan 6 02:40:44 PST 2006

Oddly I think we are agreeing, so perhaps we're both going in the wrong
way ;-)  I thought the point was to bound DKIM's capability.  On the
other hand, one could imagine a strict requirement for domain assignment
in some TLDs (perhaps this is already the case with .gov?).  Regardless,
absent that level of authentication between the registrar and the domain
"owner" you're left with reputation services...

Eliot

william(at)elan.net wrote:
>
> On Fri, 6 Jan 2006, Eliot Lear wrote:
>
>> Jim Fenton wrote:
>>> I'll stipulate that accountability may be the wrong word.  However,
>>> your
>>> rewording doesn't pick up the concept that the domain registration may
>>> be fraudulent, and in that case I don't think it's properly assigning
>>> accountability.  I was trying to convey that there is a dependency here
>>> that puts an upper bound (a rather low upper bound, at that) on the
>>> ability to identify the domain owner of a properly signed message.
>>>
>>
>> How about the following:
>>
>>    DKIM's ability to identify a domain owner is [also] bounded by
>> whatever checks a registration authority imposes.
>
> You're going in the wrong direction.
>
> Even if it may have been original intent long ago, currently
> domain registration authorities do not do any checking of the
> domain owner's identify and the commodity of the provided services
> clearly reflects that (as is the pricing for TLD domains; market
> is used to this and situation is unlikely to change).
>
> Domain identity is really self-identification and the same service
> would be provided by domain-bound email signatures discussed on this
> list - they allow domain owner to self-identify itself and provide
> cryptographic means to link the email message to this self-identity.
>
> The accountability of this identity is beyond the scope of the service
> provided by simple domain-based email signatures (at least based
> on what is in scope within approved charter). This is something
> that accreditation services supposed to do i.e. tell if the domain
> owner is known and willing to take responsibility for the transactions
> and who they really are (but if this is going to actually be of any
> value depends on that accreditation providers do not just take money
> from somebody willing to pay but actually do some sort of verification
> of who they are dealing with). Now even when you having somebody who
> you can hold accountable, that does not mean they are good player in
> email arena (who is good and bad is area for reputation services).
>
> Now can we please go back to your draft and make it clear that
> signature only establishes link between email message and some
> domain name. Anything further then that such as verifying
> domain owner identity and accountability would have to be
> provided by some other means and different service.
>
> ---
>
> BTW - Personally I think the link should be provided not to domain
> name but directly to email address level whenever possible. The
> email address identities in messaging network are as host identities
> on the ip network and with SSL we almost always use "host.domain.com"
> as appropriate identify for SSL certificates but do also allow for
> wildcard certificates i.e. "*.domain.com".
>