DKIM TTPs (was Re: [ietf-dkim] editorials and nits)
Douglas Otis
dotis at mail-abuse.org
Wed Jul 5 12:44:25 PDT 2006
On Jul 4, 2006, at 10:22 PM, Jim Fenton wrote:
> Paul Hoffman wrote:
>> At 10:40 AM +0100 7/4/06, Stephen Farrell wrote:
>>>>> #3 1.1, 2nd set of bullets. dkim *does* require a ttp - the DNS.
>>>>> Better to say that dkim requires no *new* ttp.
>>>>
>>>> I don't see DNS as a "third party" in the same sense as a CA for
>>>> certs. Yes, DNS has to work, but it isn't a third party (unless
>>>> you
>>>> want to count the root servers, I suppose). By this logic, we
>>>> should also include the multiple third parties that run the routers
>>>> and all the rest of the infrastructure.
>>>
>>> In my little PKI-riddled mind, the DNS is a TTP since it supplies
>>> the
>>> public keys and if/when DNSSEC were used, it starts to look quite
>>> like
>>> a PKI. The routers etc. won't ever really be supplying signed key
>>> records. But if no-one else thinks the same, leaving as-is if of
>>> course
>>> right.
>>
>> My brain has the same affliction as Stephen's in this department. The
>> keys have to be distributed somehow. The keys are not inherently
>> trusted. DKIM users trust the keys they get from the DNS. The DNS is
>> the trusted third party who hands out keys.
>
> I'm also with Stephen on this. I think it helps our credibility to
> acknowledge the dependency on DNS, although the threat document has
> already spelled that out in some detail.
DKIM generally represents a domain wide entity. A trusted third
party (TTP) establishes trust between two parties when both trust the
third party. For DKIM, the TTP would be the signing domain verified
by DNS. To be a TTP, the signing domain would need to be known and
trusted by verifier (the second party) for signing email-addresses of
different domains (the first party) or this does not represent three
parties. DNSSEC, except making a stronger verification of the
signing domain, does not alter this model. Unless DKIM is expected
to be commonly used with third-party signatures, it seems
inappropriate to describe DNS as a TTP, nor does DNS represent a
discrete entity or party.
-Doug
More information about the ietf-dkim
mailing list