Re: bozoproofing the net, was The Value of Reputation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



"John R Levine" <johnl@xxxxxxxx> writes:

>> OK.  If this is just an assumption and not backed by evidence, I would
>> suspect that outside of the web you see a lot less use of the big CAs.

This is my impression as well. And a fair amount of the reason here
is UI: the browsers are set up to check the server's cert and
the MTAs generally are not.


> Probably true.  And since DKIM has no provision for authorities at all, it
> definitely doesn't use them.

Well, yes and no. DKIM depends for its security on the DNS,
which means that it depends on the security of the DNS.
In order for this to be strong (i.e., cryptographic) security,
the relevant DNS records need to be signed and that means 
that there's a dependency on the DNSSEC roots.


> So remind me, what is the problem with DKIM that we're all supposed to be
> worried about?

AS I understand it the concern is that people who don't use DKIM
will eventually not be able to send e-mail to people who are using
it. I'm not sure that this is something that people should be concerned
about, indeed, the logic of this kind of system is that if it succeeds
that's exactly what will happen. 

That said, I don't think that the comparison with STARTTLS is particularly
illuminating. While in principle one could use STARTTLS as a measure
to discriminate between classes of senders, in practice it's not used
that way but instead used primarily for confidentiality. However,
DKIM's only real use is to discriminate between classes of senders,
so we do need to expect it to be used that way.

-Ekr

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]