I read the threat analysis and agree with the content
I think that we can elaborate the threats against DKIM indefinitely. The important thing is that the threat analysis in its current form answers the two major questions relevant at this point:
* What threat does DKIM defend against
* Given the previous attempts to do this type of work why is DKIM likely to be more successful?
In reference to the second I would emphasize that we are using the same technology to do something very different. Traditional email security mechansims were designed to encrypt messages first and foremost and provide some sort of proof of sender origin that would create a rebuttable presumption that a message was 'genuine'. Note that I do not use the term 'confidentiality'.
What DKIM does is to allow a party to accept responsibility for an email message. This is very different to the traditional S/MIME, PGP, PEM, MOSS objectives.
Ubiquitous sender signatures create privacy and anonymity concerns we do not want to get involved in. We want to allow Yahoo, Gmail etc to tag the mail they send as having passed through their system and been subjected to their anti-spam velocity controls. If we achieve that goal we save a significant amount of electricity and improve the effectiveness of spam filters.
There are also proposals to build systems on top of DKIM that affect the end user directly. These are important but they are not the focus of the IETF group. There appears to be a strong consensus that the IETF is not the right venue to do user interface standardization work. The IESG does not want to authorize that type of work and previous attempts (HTTP 1.0) suggest that it is unlikely anyone will want to repeat this.
I think that the charter needs to state that the DKIM group will work with other groups that have a bearing on this problem. Inside the IETF with the PKIX working group. Outside with the W3C XKMS group and any security usability WG that might form.
Phill.
_______________________________________________ ietf-dkim mailing list http://dkim.org
