DKIM TTPs (was Re: [ietf-dkim] editorials and nits)

Douglas Otis dotis at mail-abuse.org
Wed Jul 5 16:22:02 PDT 2006 

On Jul 5, 2006, at 2:36 PM, Paul Hoffman wrote:

> At 12:44 PM -0700 7/5/06, Douglas Otis wrote:
>> DKIM generally represents a domain wide entity.  A trusted third  
>> party (TTP) establishes trust between two parties when both trust  
>> the third party.  For DKIM, the TTP would be the signing domain  
>> verified by DNS.
>
> This is completely wrong, and goes against nearly everything that  
> this WG has been working on. The signing domain is *not* trusted.
>
> Does anyone other than Doug think that it is?


You have misunderstood what was being said.  A signing domain can be  
a trusted first party, but unless DKIM becomes commonly used with  
third-party signing domains, a signing domain will not become a  
generally trusted third-party.  As an example, imagine an entity  
"trustworthy-email-accreditations.com" issues keys where a public  
half is published within their DNS domain, and the private half is  
sent to senders that comply with their provisos.  For EHLOs,  
"trustworthy-email-accreditations.com" could also offer A RRs in  
addition to DKIM key RRs.  When "trustworthy-email- 
accreditations.com" becomes trusted for their vetting of email  
senders, they will have established themselves as a trusted-third- 
party signing domain.  As I said, I don't think that is how most  
expect DKIM to be used.  Barring that model of use, DKIM does not  
offer TTP services.

A DNS domain delegation says little about email related behaviors.   
In addition to establishing a real identity and exposure to  
litigation, the behavior of an entity is generally a major component  
of the trust established by a TTP.  The information provided by DNS  
is that a signing domain (perhaps owned by an anonymous entity) was  
involved with the content of a message.  While DNS offers trustworthy  
domain delegations involving anywhere from a few to hundreds of  
separate entities, DNS domain delegation says vanishingly little  
about email related interactions and behaviors.  DKIM's use of DNS is  
little better than verifying the EHLO host name's IP address, except  
a DKIM signature survives beyond the first hop.

TTP services is simply not a normal component of either DKIM base or  
SSP.  SSP provides for a level of repudiation, but name-path  
registration offers even greater DoS protections with similar level  
of repudiation when desired.

-Doug

More information about the ietf-dkim mailing list