IETF Logo Mail Archive

Re: DKIM

Keith Moore <moore@cs.utk.edu> Fri, 26 August 2005 16:37 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E8hCd-0003PC-PM; Fri, 26 Aug 2005 12:37:15 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E8hCb-0003P0-16 for ietf@megatron.ietf.org; Fri, 26 Aug 2005 12:37:13 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA00748 for <ietf@ietf.org>; Fri, 26 Aug 2005 12:37:10 -0400 (EDT)
Received: from ka.cs.utk.edu ([160.36.56.221]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E8hDM-0004c0-2V for ietf@ietf.org; Fri, 26 Aug 2005 12:38:00 -0400
Received: from localhost (ka [127.0.0.1]) by ka.cs.utk.edu (Postfix) with ESMTP id 5A68623550; Fri, 26 Aug 2005 12:37:11 -0400 (EDT)
Received: from ka.cs.utk.edu ([127.0.0.1]) by localhost (ka [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26612-08; Fri, 26 Aug 2005 12:37:09 -0400 (EDT)
Received: from [192.168.0.4] (user-119b1dm.biz.mindspring.com [66.149.133.182]) by ka.cs.utk.edu (Postfix) with ESMTP id 2982E2353B; Fri, 26 Aug 2005 12:37:09 -0400 (EDT)
Message-ID: <430F4524.80705@cs.utk.edu>
Date: Fri, 26 Aug 2005 12:36:52 -0400
From: Keith Moore <moore@cs.utk.edu>
User-Agent: Mozilla Thunderbird 1.0.6 (Macintosh/20050716)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
References: <198A730C2044DE4A96749D13E167AD375A2AB6@MOU1WNEXMB04.vcorp.ad.vrsn.com>
In-Reply-To: <198A730C2044DE4A96749D13E167AD375A2AB6@MOU1WNEXMB04.vcorp.ad.vrsn.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new with ClamAV and SpamAssasin at cs.utk.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f60d0f7806b0c40781eee6b9cd0b2135
Content-Transfer-Encoding: 7bit
Cc: ietf@ietf.org
Subject: Re: DKIM
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

>>Not clear.  As currently envisioned, DKIM doesn't address phishing 
>>because it basically says "I saw this message" rather than "I 
>>wrote this 
>>message".  
> 
> 
> I don't see a problem with that, XML signature does not have any
> signature semantics at all.

Different application, different use cases.

> Signature semantics are a function of the PKI, not the application.

No.  If the protocol doesn't say what is meant by signing a message, or 
even restrict the circumstances in which a message can be signed, then 
very little can be assumed about a signature even if it appears to be 
valid.  PKI can have an effect on semantics, but the semantics don't 
have to be determined entirely by the PKI.

> I see the big problem with blacklists as being their total refusal to
> accept accountability to email senders.

That's partially because either they have no way to be sure of what 
they're asserting, or they have to constrain themselves to making 
assertions which might be verifiable but aren't good indicators of 
anything.  If we want reputation servers to work better, we have to 
provide them with data that are both useful and verifiable.

> Its all about accountability.

I don't see how we can have accountability of reputation servers without 
giving them reliable data which can be audited.  We could penalize them 
for providing false negative indications but that alone would make them 
  ineffective against all but the worst offenders.  Everyone would get 
away with spamming a little bit, and everyone's mailbox would still be 
flooded - just with more sources of spam than we have now, and with spam 
that's harder to filter out with heuristics than at present.

> I think that the problem is the common one of thinking that the way to
> get a group to act quickly is to specify the smallest possible charter,
> even if this means that the job is only half finished.

...and even if that means the problem is not understood.

> I think it would be much better to accept that email authentication is
> going to be a longer job.
> 
> Instead of proposing a twelve month charter with minimal deliverables I
> think that the group should have a longer charter, two or three years
> would be more realistic.

Long charters don't seem to work well.  I'd prefer a charter with the 
first deliverable is that the group should produce a detailed 
description of what it takes to solve the problem and a convincing 
explanation of why it will work.  At the rate IETF moves, that will take 
at least a year.  Once that milestone is completed the group could have 
its charter extended to do the protocol work.  But the protocol work is 
the easy part.


> What I don't think is acceptable is a group saying that they are not
> going to address a part of a problem because 'we do not understand it'

I agree, but it's even worse for a group to try to address a problem 
that it doesn't understand, or for a group to make a part of the problem 
that it doesn't understand a necessary component of a solution.

Keith

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email