Re: mail signing history, was Call for Community Feedback: Retiring IETF FTP Service

[ned+ietf@mauve.mrochek.com]

> In article <01RS5CFAY5S0005PTU@mauve.mrochek.com> you write:
> >More specifically, we developed DKIM/DMARC as an anti-phishing measure for
> >commerical email. It was never intedned to be used for personal email, but
> >Yahoo deployed it in the personal email space and others have followed suit on
> >a massive scale. As a result a significant and growing percentage of email is
> >now signed, to the point where privacy experts are calling for DKIM key release
> >after rotation to at least partially mitigate the damage we have done.

> Urrgh. We correctly expected DKIM to be used for all sorts of mail,
> but without expecting the DKIM domain to match the From (other than
> the experimental and unused ADSP extension.) DMARC made "aligned"
> signatures treated specially, but the signatures didn't change.

> What we didn't anticipate is that large mail systems would never
> rotate their keys and use the same DKIM signing key for many years, so
> you can easily check old messages with old signatures. I suppose it is
> kind of a surprise that people use them for non-repudiation, but since
> the signatures aren't technically very different from S/MIME or PGP
> signatures, it shouldn't be that surprising.

FWIW, I actually pointed out this and other potential downsides of using
signatures way back when DKIM was originally standardized, but (a) We don't
have an alternative technology, or even an idea of what an alternative
technology would be, and (b) As you say, we didn't expect it to be this bad.

There's also no way to fully mitigate the issue: Someone can always immediately
apply an independent timestamping service to every message they see, making
subsequent exposure of the private key meaningless.

That said, a mechanism for publishing/expiring DKIM private keys is something
the IETF might want to standardize.

				Ned