On August 23, 2005 at 10:09, Ned Freed wrote: > It seems to me that the underlying disagreement here has to do with the > term "signature". In DKIM signatures are nothing but a means to an end: > They provide the means of attaching an accountably identity to a specific > message.
I am uncertain about the use of the term of "accountability". It opens up a can of worms on what the levels of accountability will be and what will be the enforcement policies to insure accountability. If the DKIM specification explicit states that it provides an accountable identity for a message without mentioning what is involved for being accountable, then you may get adoption problems. What DKIM can do is provide a domain-level identity authentication of domains involved in the transmission of mail. With a reliable domain-level authentication framework, more reliable reputation, accreditation, and other trust-type systems can be developed to deal with abusive mail practices. Real accountability is defined by these trust-type systems, not DKIM. To better facilitate the functioning of these systems, the role of the signer should be captured. Should a forwarder (e.g. college alumni permanent address service) have the same level of accountability as the originating domain (the domain that received the initial submission of a message)? It may be sufficient to just capture if the signer is doing a "here is what I saw" signature and a "i'm the originating domain signature". This will allow the laying of "blaim" more appropriately based upon the role the signer plays. Without capturing the role of the signers, entities will be hesitant to implement DKIM until they know exactly what the accountability framework is and the level of accountability taken upon the signer. > Frankly, if there were some other means of performing this sort of > attachment I would be in favor of using it, because people persist > in conflating "signatures the cryptographic tool" with "signatures > as a service". DKIM isn't supposed to provide a general content > signing service, or a general nonrepudiation service, or any of > the other myriad things that can be built on top of "signatures the > cryptographic primitive". The service DKIM provides is the attachment > of an accountable identity to a specific message. Nothing more and > nothing less. What does it exactly mean to be an "accountable identity"? --ewh _______________________________________________ ietf-dkim mailing list http://dkim.org
