DKIM TTPs (was Re: [ietf-dkim] editorials and nits)
Jim Fenton
fenton at cisco.com
Tue Jul 4 22:22:25 PDT 2006
Paul Hoffman wrote:
> At 10:40 AM +0100 7/4/06, Stephen Farrell wrote:
>>>> #3 1.1, 2nd set of bullets. dkim *does* require a ttp - the DNS.
>>>> Better to say that dkim requires no *new* ttp.
>>>
>>> I don't see DNS as a "third party" in the same sense as a CA for
>>> certs. Yes, DNS has to work, but it isn't a third party (unless you
>>> want to count the root servers, I suppose). By this logic, we
>>> should also include the multiple third parties that run the routers
>>> and all the rest of the infrastructure.
>>
>> In my little PKI-riddled mind, the DNS is a TTP since it supplies the
>> public keys and if/when DNSSEC were used, it starts to look quite like
>> a PKI. The routers etc. won't ever really be supplying signed key
>> records. But if no-one else thinks the same, leaving as-is if of course
>> right.
>
> My brain has the same affliction as Stephen's in this department. The
> keys have to be distributed somehow. The keys are not inherently
> trusted. DKIM users trust the keys they get from the DNS. The DNS is
> the trusted third party who hands out keys.
I'm also with Stephen on this. I think it helps our credibility to
acknowledge the dependency on DNS, although the threat document has
already spelled that out in some detail.
-Jim
More information about the ietf-dkim
mailing list