On 10/2/19 12:29 PM, Jon Callas wrote: > I know that I've written about this before, so please bear with me a bit. A > continuing concern of mine is the way that DKIM contributes to overall > surveillance smog that the Internet has. > > When we designed DKIM, this was something we considered; it was a concern. It > wasn't so big a concern that we thought it should derail DKIM, and it wasn't > even a concern when it was taken over by the IETF. Nonetheless, it was an > issue, is an issue, and becomes a bigger issue nearly every day. The most > notorious failure here is the Podesta email dump, where the stolen emails > were verified against the DKIM signatures. This is precisely what we didn't > want to happen -- that DKIM was used for things beyond fighting inauthentic > emails. We ought to do something, the question is what.
Yes, we definitely considered privacy with respect to DKIM. But my recollection is different: I don't remember discussion of the potential forensic use of DKIM signatures to provide unintended non-repudiation of leaked emails. I also wouldn't describe the presence of such signatures on email messages to be surveillance -- although it does contribute to the effectiveness of surveillance done by other means. The type of surveillance we were discussing at the time was the potential that the verification of a DKIM signature might give the sender information on the location of the recipient (by observing the DNS requests at the point where the key record is hosted). Use of different selector names could also differentiate requests on behalf of a particular target. I believe this concern was addressed by the observation that the signature verification would typically be done by the recipient's mail provider, and not by the recipient themselves. I don't doubt that others (particularly Jon) thought more thoroughly than I about privacy concerns such as this. -Jim (who will read the article soon!) _______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
