DKIM TTPs (was Re: [ietf-dkim] editorials and nits)

Douglas Otis dotis at mail-abuse.org
Fri Jul 7 14:53:33 PDT 2006 

On Jul 7, 2006, at 12:02 PM, Stephen Farrell wrote:

> Douglas Otis wrote:
>>  Indeed DNS does not offer a reasonable method to exclude bad  
>> actors (secure), where a trusted third-party does.
>
> Doug is again insisting on grappling gamely with the wrong end of  
> the stick.
>
> The rest of the world however knows that a ttp in an Alice/Bob  
> crypto protocol is any entity they trust who can hurt them by  
> misbehaving.

Agreed.  However trust established with a third-party is typically  
based upon their vetting of an identity against something tangible.   
When there is bad behavior, confirmed tangible identifiers provide a  
means for accountability.  As a result, bad actors are more readily  
excluded to better secure interactions.  There is also accreditation  
by an trusted third party that holds the entity accountable by de- 
listing.  There is also reputation that holds the entity accountable  
by listing.  Accreditation or reputation could also be considered  
trusted third-parties but doe not impose a need to offer tangible  
identifiers related to the domain name.  Vetting the identity against  
something tangible provides more pro-active protections, assuming the  
recipient or the CA makes the effort to correlate these identifiers.

> For dkim the dns is such a beast since it can supply Bob with the  
> wrong keys for the wrong domains. I think a sufficient number of  
> people have agreed with the above that we no longer need debate the  
> fact.

The concern is the vetting of identities against something tangible.   
This issue of trusted vetting by a third-party is completely separate  
from the integrity of DNS itself.  When Bob can easily reappear as  
another domain name without any confirmed tangible identifiers,  
securing email interactions away from bad actors remains futile.   
Without some trusted third-party, DNS will not offer a reasonable  
means to exclude bad actors.  Perhaps whois could someday perform  
this role as a trusted third-party, or some other third-party service  
could be used, such as a trusted CA, or accreditation et al perhaps.   
DNS simply does not ensure tangible identifiers are associated with  
the controlling entity of the domain name.  DKIM provides a verified  
domain domain that can be checked against a trusted third-party  
service.  Do not confuse DNS as being analogous to a TTP service  
however.

> Otherwise we should get back to the point, which was put best by  
> Mike I think - should base mention the dns' role as a ttp at all,  
> and if so how?

No. Not at all. It would be misleading.

-Doug

More information about the ietf-dkim mailing list