[ietf-dkim] review of draft-ietf-dkim-overview-01

Tue Jul 11 13:33:36 PDT 2006

Eliot Lear <lear at cisco.com> writes:

> EKR wrote:
>>>>   
>>>>       
>>> I believe the point Dave is trying to make is that you don't need to
>>> deploy a huge infrastructure to deploy DKIM.
>>>     
>>
>> Well, in that case you could argue the same thing about S/MIME,
>> which can work in opportunistic (only partly secure modes).
>>   
>
> Right.  See below about weaker claims and the lack of a fully deployed
> PKI.  It is designed primarily to scale to the level of a domain.
>>   
>>>  DKIM does NOT require
>>> DNSSEC. 
>>>     
>>
>> And S/MIME doesn't require PKI.
>>   
>
> S/MIME has its own set of problems, which I won't rehash.

Of course. My point is merely that DKIM has some set of advantages
vis-a-vis S/MIME and PGP, but that this draft overstates
them.

>>> Deploying DNSSEC improves the security of DKIM in the face of
>>> DNS attacks.
>>>     
>>
>> In the face of attacks which we know happen....
>>   
>
> In those places where that's important perhaps we'll see DNSSEC
> deployment, then.

Right, so I don't think it's reasonable to claim that there's
no dependency.

>>>> I'm not sure I understand what reputation means in this context.
>>>>   
>>>>       
>>> I believe it would be pedantic to define a commonly used English word.
>>>     
>>
>>
>> I disagree.
>> 1. It's a technical term in the security community, and since there's
>>    no reputation service being proposed..
>>   
>
> The language was plainly used.  You are, however, raising two separate
> issues: use of the term and whether reputation services are in scope. 
> They are clearly not.  However, that doesn't mean that DKIM cannot be
> used by such services, and it certainly doesn't mean that we must never
> refer to them.  This having been said, I still believe the plain
> language reading connotes an obvious meaning.

Hmm... I don't. Not sure what else to say.

>> 2. As I've pointed out before, manual forensics about who actually
>>    sent a message aren't really *that* difficult. Transmitting a message
>>    at all puts your reputation on the line--to the extent that sending
>>    spam damages your reputation.
>>   
>
> Forensics != verification.

And verification != reputation. What's your point?

>>>>       
>>> I read Dave's claim is to the contrary.  They presumed a directory
>>> infrastructure that in fact has proven difficult to widely deploy to the
>>> level of the individual.
>>>     
>>
>> Hmm... I don't read it that way. The beginning of 5.4 says:
>>
>>    Unlike all four previous IETF email security initiatives, DKIM
>>    employs a key centric, directory based PKI as opposed to a
>>    certificate based PKI in the style of Kohnfelder (X.509) or Zimmerman
>>    (web of trust).
>>
>> Which seems to suggest that X.509 isn't directory-based. But as I
>> noted, the original design certainly was....
>>   
>
>
> While I could see how you could take this one sentence out of context
> and view it as poorly worded,

What a strange argument, since I also posted several paragraphs which
I also believe imply the same thing.  You may not agree with my reading,
but I don't see why you're arguing that I'm taking it out of context.

> let's agree that the author does not
> believe X.509 was implemented outside the notion of a directory.  Let me
> suggest, therefore, that you propose wording to clarify.

I would, but I don't really understand what the paragraph
is intended to mean.

-Ekr