[Fwd: EKR - Re: [ietf-dkim] Review of draft-ietf-dkim-base-00 (1)]

Dave Crocker dhc at dcrocker.net
Mon Mar 20 08:44:35 PST 2006 

(sorry. firefox does not have a redistribute command. /d)

-------- Original Message --------
Subject: Re: [ietf-dkim] Review of draft-ietf-dkim-base-00 (1)
Date: Mon, 20 Mar 2006 06:04:58 -0800
From: Eric Rescorla <ekr at rtfm.com>
Reply-To: EKR <ekr at rtfm.com>
To: dcrocker at bbiw.net
CC: ietf-dkim at mipassoc.org
References: <20060319174949.52D5AB87A at delta.rtfm.com> 
<441E38B3.1080702 at dcrocker.net>

[Re-sent after a unicast addressing error....]

Dave Crocker <dhc at dcrocker.net> writes:

>> S 1.1.
>>    o  there is no dependency on public and private key pairs being
>>       issued by well-known, trusted certificate authorities,
>> This claims seems somewhat disingenuous.
>
> It shouldn't. The statement is simply and directly accurate, as given.
>
> The problem with the analysis you provided is that it conflates a dependency
> that DKIM *does* have on the DNS, with the means that DNS might/will use to
> provide acceptable service.
>
> To pursue the line of concern you have raised, here are some simple questions:
>
> 1. Does DKIM specify anything that looks like a cert authority?
>
>     Answer:  No.
>
> 2. Does DKIM require validity of the data produced by the DNS?
>
>     Answer:  Yes.
>
> 3. Does the DNS provide reasonably good data validity today?
>
>     Answer:  Yes
>
> 4. Is the current DNS vulnerable?
>
>     Answer: Yes
>
> 5. Are CA's required to fix this?
>
>     Answer:  Maybe, but maybe not.  Certainly that is the path being explored,
>     planned on, and maybe even slightly deployed.  Other schemes might have been
>     feasible, but they aren't what has been defined.
>
> In other words, Eric,  the logic that goes from DKIM to a CA is rather
> circuitous.  It contains some twists and choices.

Uh, sure, if you say so. The fact is that the document explicitly
suggests that it be secured via DNSSEC, so the path is nowhere
near as indirect as you suggest.


> In fact if you are looking for the characteristic of craftiness that
> is implied by the word disingenuous, then I'd be inclined to suggest
> that it applies more to claiming that DKIM *does* use CAs than to
> the claim that it does not.

Of course you would.

-Ekr


-- 

Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>

More information about the ietf-dkim mailing list