DKIM TTPs (was Re: [ietf-dkim] editorials and nits)
Stephen Farrell
stephen.farrell at cs.tcd.ie
Wed Jul 5 18:35:44 PDT 2006
Douglas Otis wrote:
> From your reference:
> ---
> In cryptography, a trusted third party (TTP) is an entity which
> facilitates interactions between two parties who both trust the third
> party; they use this trust to secure their own interactions. TTPs are
> common in cryptographic protocols, for example, a certificate authority
> (CA).
> ---
>
> While DNS associates a key with a domain name, there should be no
> expectation this domain name represents a tangible entity or offers
> meaningful recourse.
Irrelevant.
> There are thousands of entities involved in these
> associations, where the basis is often limited to just the domain name
> itself. It is difficult to consider an amalgam of often anonymous
> entities a "trusted third party" for "securing" email interactions. Use
> of DNS by DKIM certainly falls short of the expectations of a TTP as set
> by Certificate Authorities or the example given of a notary public. For
> DKIM to offer security, a separate assessment of the DKIM domain name
> should be made (likely by a TTP). In that sense of trust or "securing"
> interactions, DNS fails this definition of TTP for email in my view.
Perhaps you haven't been involved in the fairly tedious exercise
of engineering one of these, e.g. when I worked for a large German
company we made an internal PKI where every building supervisor was
part of the TTP (mostly as RAs, as it happened). At the time there
were O(400,000) employees, and about O(1) private keys, so, like
everyone else, we kind of got used to the idea that a TTP needn't
be monolithic.
Main point is that there *is* an accepted way to use this term, and
yours is not it.
For DKIM, the DNS is a TTP.
Stephen.
More information about the ietf-dkim
mailing list