[ietf-dkim] review of draft-ietf-dkim-overview-01
ekr at networkresonance.com
Tue Jul 11 13:33:36 PDT 2006
Eliot Lear <lear at cisco.com> writes:
> EKR wrote:
>>> I believe the point Dave is trying to make is that you don't need to
>>> deploy a huge infrastructure to deploy DKIM.
>> Well, in that case you could argue the same thing about S/MIME,
>> which can work in opportunistic (only partly secure modes).
> Right. See below about weaker claims and the lack of a fully deployed
> PKI. It is designed primarily to scale to the level of a domain.
>>> DKIM does NOT require
>> And S/MIME doesn't require PKI.
> S/MIME has its own set of problems, which I won't rehash.
Of course. My point is merely that DKIM has some set of advantages
vis-a-vis S/MIME and PGP, but that this draft overstates
>>> Deploying DNSSEC improves the security of DKIM in the face of
>>> DNS attacks.
>> In the face of attacks which we know happen....
> In those places where that's important perhaps we'll see DNSSEC
> deployment, then.
Right, so I don't think it's reasonable to claim that there's
>>>> I'm not sure I understand what reputation means in this context.
>>> I believe it would be pedantic to define a commonly used English word.
>> I disagree.
>> 1. It's a technical term in the security community, and since there's
>> no reputation service being proposed..
> The language was plainly used. You are, however, raising two separate
> issues: use of the term and whether reputation services are in scope.
> They are clearly not. However, that doesn't mean that DKIM cannot be
> used by such services, and it certainly doesn't mean that we must never
> refer to them. This having been said, I still believe the plain
> language reading connotes an obvious meaning.
Hmm... I don't. Not sure what else to say.
>> 2. As I've pointed out before, manual forensics about who actually
>> sent a message aren't really *that* difficult. Transmitting a message
>> at all puts your reputation on the line--to the extent that sending
>> spam damages your reputation.
> Forensics != verification.
And verification != reputation. What's your point?
>>> I read Dave's claim is to the contrary. They presumed a directory
>>> infrastructure that in fact has proven difficult to widely deploy to the
>>> level of the individual.
>> Hmm... I don't read it that way. The beginning of 5.4 says:
>> Unlike all four previous IETF email security initiatives, DKIM
>> employs a key centric, directory based PKI as opposed to a
>> certificate based PKI in the style of Kohnfelder (X.509) or Zimmerman
>> (web of trust).
>> Which seems to suggest that X.509 isn't directory-based. But as I
>> noted, the original design certainly was....
> While I could see how you could take this one sentence out of context
> and view it as poorly worded,
What a strange argument, since I also posted several paragraphs which
I also believe imply the same thing. You may not agree with my reading,
but I don't see why you're arguing that I'm taking it out of context.
> let's agree that the author does not
> believe X.509 was implemented outside the notion of a directory. Let me
> suggest, therefore, that you propose wording to clarify.
I would, but I don't really understand what the paragraph
is intended to mean.
More information about the ietf-dkim