[ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]

Douglas Otis dotis at mail-abuse.org
Sat Jan 7 10:35:46 PST 2006 

On Sat, 2006-01-07 at 11:15 +0100, Eliot Lear wrote:
> Andrew Newton wrote:
>
> > I am thinking "no."  DKIM's ability to identify a domain owner is not
> > limited by registration authority rules because there may be or will
> > be reputation services separate from the registration authority.
> 
> Precisely.  We need to separate what DKIM does from what reputation
> services do.
>
> > Besides, I don't think DKIM is ever identifying the owner of a domain
> > name since that information is not in DNS.  If the Acme Widget company
> > has the domains acmewidgets.com, acme-widgets.com, and
> > acme-widgets-inc.com, there is nothing in DNS that tells me all three
> > are owned by Acme Widgets (well, nothing you can rely upon).
>
> You're right.  The information is contained within the registries. 
> Whether a recipient can access that information ALSO depends on the
> registry policies.

Often, the extent of owner verification is limited to what can be
determined by payment methods and DNS server information, as no other
confirmations, such as web or email logs, are made available, even when
the information is shared.  As the typical fee could be missed in a
credit card report, even payment information remains dubious, and
permits deny ability.

If the substantially anonymous owner has not committed bad acts, the
identification utilized to accrue a history of use should only employ
verified identifications, such as a validated DKIM signature.  With a
potential replay problem, even validation may not be adequate without
some expectation of a practical replay control.

Assuming there is a verified identifier, where there is some expectation
of replay control, the extent of accountability ends at the domain name.
It would not be practical within the current system to extend DNS based
identification to individuals.  Perhaps in a few cases, in conjunction
with corroboration, such as a history of use, this information could be
applied to known entities.

The advantage afforded by DKIM is avoidance of a certificate authority
which would provide entity identification more reliably.  Certificates
for MTAs would add a significant recurring expense and has made this
avenue attractive only in specific cases through private agreement.
Even with a certificate authority vouching for the identity, as with the
registrar, there would be a conflict of interest to also expect them to
judge the history of use.

-Doug

More information about the ietf-dkim mailing list