[ietf-dkim] Some responsibility

Rolf E. Sonneveld R.E.Sonneveld at sonnection.nl
Mon Nov 1 15:53:58 PDT 2010 

On 11/1/10 6:01 PM, Murray S. Kucherawy wrote:
>> -----Original Message-----
>> From: ietf-dkim-bounces at mipassoc.org [mailto:ietf-dkim-bounces at mipassoc.org] On Behalf Of Graham Murray
>> Sent: Saturday, October 30, 2010 11:51 PM
>> To: ietf-dkim at mipassoc.org
>> Subject: Re: [ietf-dkim] Some responsibility
>>
>>> DKIM is no position today to provide any assurance to or for anyone to
>>> be indemnified from liabilities.
>> I agree that it does not provide indemnity, but it does not claim to, it
>> claims to do the opposite.  What it does provide is assurance of
>> acceptance of liability for messages which are signed. ie if a message
>> is DKIM signed, the signer cannot later claim "It was nothing to do with
>> me, it must have been a forgery"
> +1

+1

Given the fact that DKIM does not require a complex PKI, this means DKIM 
provides an interesting business case for various types of organizations 
(of course, assuming that the organization uses DKIM as it was 
designed). To give an example: recently I spoke with a security officer 
of a big insurance company, about DKIM. He told me that it was very 
important to them to be able to make a statement about mail they send to 
their customers, that is: a statement about the mail as it leaves their 
ADMD, not about how it arrives at the customer. It is sufficient for 
them to be able to show to anyone who might ask them, that they sign 
their outbound mail using decent crypto technology. And if they can do 
so, without having to deploy a full PKI, it makes DKIM an interesting 
technology to them. IMHO DKIM needs these kinds of use case scenario's 
to get wide acceptance.

[Of course, in addition to signing their mail, they probably will want 
to archive their outbound mail including DKIM signature etc., but that's 
not relevant to the discussion here.]

> Moreover, I think we tread on dangerous ground when we make assertions in any direction that are legal rather than technical.  We're about as expert in law as we are in MUAs, which is to say "not at all".

Agreed.

/rolf

More information about the ietf-dkim mailing list