DKIM TTPs (was Re: [ietf-dkim] editorials and nits)
dotis at mail-abuse.org
Fri Jul 7 15:19:05 PDT 2006
On Jul 7, 2006, at 1:59 PM, Eliot Lear wrote:
>> DNSSEC improves the integrity of the delegation process and
>> exchange of resource records. It does not improve upon extremely
>> poor identification vetting that might not even be available to
>> the recipient. The untrustworthy identification associated with
>> DNS means it is very misleading to describe DNS as a trusted third-
>> party analogous to a trusted CA.
> Every problem you've mentioned with DNS can occur with CAs. Heck I
> run my own. What makes you think you can trust me?!
The key term here is trusted. You may offer CA services, but
competence and general acceptance will determine whether the service
becomes and remains trusted.
>>> All of this having been said, your use of the words "secure email
>>> interactions" overstates the purpose of the method.
>> This comment used terminology offered by the definition provide by
>> Stephen. Indeed DNS does not offer a reasonable method to exclude
>> bad actors (secure), where a trusted third-party does.
> Reiterating, every problem you state really has nothing to do with
> DNS but with registration.
Exactly. How is the registration of domain names separate from the
delegation of domain names? Can a bad actor by any other domain name
still be held accountable? Unfortunately, no.
> That problem is universal, regardless of mechanism. To be fair CAs
> have a few more gizmos to play with, but the notion of delegation
> and registration remains the same.
Those that are competent at vetting identities against tangible
elements will become and remain trusted. With DNS, there is a
notable lack of choice in the matter of trust, and currently every
reason to consider the DNS registration process itself is not held
accountable. Perhaps the lack of accountability with domain name
registration is due to the lack of choice. It would be very
misleading to declare DNS replaces a trusted CA, for example. DKIM
verifies a domain name that can be readily checked against various
lists and trusted third party services. DNS and its associated
registration process should not be trusted at this time to have
vetted identities against tangible elements when securing
interactions and establishing accountability.
More information about the ietf-dkim