On 11/19/20 12:01 PM, Keith Moore wrote:
On 11/19/20 1:09 PM, Michael Thomas wrote:
He did say when somebody did dispute they actually sent a piece of
mail, they'd call in an "email expert" witness who would walk them
through why it wasn't forged.
One of my hats.
Who knew there would be a cottage industry for this. Huh.
I have no idea if they resort to using DKIM as one of their
arguments, i'm guessing not because the entire idea of forgery with
all of the other evidence probably makes it pretty far fetched.
Absolutely I would "resort" to such, though I hope I'm never asked to
support some irresponsible or frivolous action. I would use every
shred of evidence I could find.
I do understand why having a MSP provide a free non-optional
non-repudiation service is not a great thing in general, and think
that disclosing old private keys is probably a good way to remedy
that. (just make sure that the repository of old private keys is very
well advertised).
But there are lots of legitimate, responsible reasons for validating
that some particular old message is authentic.
Sure, there are pluses and minuses. It's why I think the real work of
publishing keys is in the BCP aspect of it. User's and provider's goals
are not very well aligned.
I'm still getting over the shock that DKIM played a big role in But Her
Emails that Ned linked to.
Mike
