At 3:08 PM -0700 8/11/05, Ned Freed wrote:
I thought that what Russ asked for was not a threat analysis for
DKIM, but a threat analysis for Internet e-mail, the system that DKIM
proposes to protect. The idea is that only if we start with a
characterization of how and why we believe adversaries attack e-mail,
can we evaluate whether any proposed security mechanism, e.g., DKIM,
is appropriate, relative to that threat analysis.
This is more less my guess as to what's being asked for, although I
disagree with the implication that DKIM proposes to protect email in
its entirety. Regardless, others do not appear to agree and instead
apppear to be doing very different sorts of analyses.
Ned
I agree that DKIM need not protect e-mail in all security dimensions.
My definition of threat analysis for this context does not require
that, although I admit the wording could have been clearer.
In any threat analysis, the author decides what threats he/she wants
to address. The reader decides if the author has omitted any that the
reader believes are important (to the reader), and thus may reject
the analysis if threats of interest to the reader were not addresses.
In this case, I believe the informal discussion centered on
adversaries who wish to inject spam into the Internet e-mail system,
or who wish to engage in phishing attacks via e-mail. If so, then the
author merely states that, and proceeds to discuss the motivations
for such adversaries (what constitutes success for them) and by what
means they can/do carry out attacks.
With this as background, the author then explains how a proposed set
of countermeasures prevents such attacks, or makes them harder, etc.
The reader then evaluates the claims of the author re the
effectiveness of the proposed countermeasures, given an agreed upon
threat model.
Steve
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf