[ietf-dkim] draft-ietf-dkim-threats-02 nit//Affects verification of messages?

[Douglas Otis <dotis@mail-abuse.org>]

,----
|1.2.  Document Structure
|...
|
| The sections dealing with attacks on DKIM each begin with a table
| summarizing the postulated attacks in each category along with their
| expected impact and likelihood.  The following definitions were used
| as rough criteria for scoring the attacks:
|
| Impact:
|
|  High: Affects the verification of messages from an entire domain or
|      multiple domains
'____

It is not clear what is meant by "affects verification of messages."   
The verification process depends only upon the integrity of the  
network infrastructure.  The threat document should consider the  
impact upon the classification of a domain's messages.  Even when a  
private key is compromised, the verification process still passes  
valid messages.  The threat review indicates a compromised key as  
causing a high impact.  One could conclude this impact results when  
messages from a bad actor accrue to the exploited domain.

The introduction offers these possible uses of DKIM.
,----
| Once the attesting party or parties have been established, the
| recipient may evaluate the message in the context of additional
| information such as locally-maintained whitelists, shared reputation
| services, and/or third-party accreditation.
'____

A threat document should consider how an exploit might affect these  
uses of DKIM.


Change:

"Affects the verification of messages..."

to

"Affects the classification of messages..."

-Doug




_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html