DKIM TTPs (was Re: [ietf-dkim] editorials and nits)

Douglas Otis dotis at mail-abuse.org
Fri Jul 7 15:19:05 PDT 2006 

On Jul 7, 2006, at 1:59 PM, Eliot Lear wrote:

>> DNSSEC improves the integrity of the delegation process and  
>> exchange of resource records.  It does not improve upon extremely  
>> poor identification vetting that might not even be available to  
>> the recipient.  The untrustworthy identification associated with  
>> DNS means it is very misleading to describe DNS as a trusted third- 
>> party analogous to a trusted CA.
>
> Every problem you've mentioned with DNS can occur with CAs.  Heck I  
> run my own.  What makes you think you can trust me?!

The key term here is trusted.  You may offer CA services, but  
competence and general acceptance will determine whether the service  
becomes and remains trusted.


>>> All of this having been said, your use of the words "secure email  
>>> interactions" overstates the purpose of the method.
>>
>> This comment used terminology offered by the definition provide by  
>> Stephen.  Indeed DNS does not offer a reasonable method to exclude  
>> bad actors (secure), where a trusted third-party does.
>
> Reiterating, every problem you state really has nothing to do with  
> DNS but with registration.

Exactly.  How is the registration of domain names separate from the  
delegation of domain names?  Can a bad actor by any other domain name  
still be held accountable?  Unfortunately, no.


> That problem is universal, regardless of mechanism.  To be fair CAs  
> have a few more gizmos to play with, but the notion of delegation  
> and registration remains the same.

Those that are competent at vetting identities against tangible  
elements will become and remain trusted.  With DNS, there is a  
notable lack of choice in the matter of trust, and currently every  
reason to consider the DNS registration process itself is not held  
accountable.  Perhaps the lack of accountability with domain name  
registration is due to the lack of choice.  It would be very  
misleading to declare DNS replaces a trusted CA, for example.  DKIM  
verifies a domain name that can be readily checked against various  
lists and trusted third party services.  DNS and its associated  
registration process should not be trusted at this time to have  
vetted identities against tangible elements when securing  
interactions and establishing accountability.

-Doug

More information about the ietf-dkim mailing list