Eliot Lear <[EMAIL PROTECTED]> writes: > EKR wrote: >>>> >>>> >>> I believe the point Dave is trying to make is that you don't need to >>> deploy a huge infrastructure to deploy DKIM. >>> >> >> Well, in that case you could argue the same thing about S/MIME, >> which can work in opportunistic (only partly secure modes). >> > > Right. See below about weaker claims and the lack of a fully deployed > PKI. It is designed primarily to scale to the level of a domain. >> >>> DKIM does NOT require >>> DNSSEC. >>> >> >> And S/MIME doesn't require PKI. >> > > S/MIME has its own set of problems, which I won't rehash.
Of course. My point is merely that DKIM has some set of advantages vis-a-vis S/MIME and PGP, but that this draft overstates them. >>> Deploying DNSSEC improves the security of DKIM in the face of >>> DNS attacks. >>> >> >> In the face of attacks which we know happen.... >> > > In those places where that's important perhaps we'll see DNSSEC > deployment, then. Right, so I don't think it's reasonable to claim that there's no dependency. >>>> I'm not sure I understand what reputation means in this context. >>>> >>>> >>> I believe it would be pedantic to define a commonly used English word. >>> >> >> >> I disagree. >> 1. It's a technical term in the security community, and since there's >> no reputation service being proposed.. >> > > The language was plainly used. You are, however, raising two separate > issues: use of the term and whether reputation services are in scope. > They are clearly not. However, that doesn't mean that DKIM cannot be > used by such services, and it certainly doesn't mean that we must never > refer to them. This having been said, I still believe the plain > language reading connotes an obvious meaning. Hmm... I don't. Not sure what else to say. >> 2. As I've pointed out before, manual forensics about who actually >> sent a message aren't really *that* difficult. Transmitting a message >> at all puts your reputation on the line--to the extent that sending >> spam damages your reputation. >> > > Forensics != verification. And verification != reputation. What's your point? >>>> >>> I read Dave's claim is to the contrary. They presumed a directory >>> infrastructure that in fact has proven difficult to widely deploy to the >>> level of the individual. >>> >> >> Hmm... I don't read it that way. The beginning of 5.4 says: >> >> Unlike all four previous IETF email security initiatives, DKIM >> employs a key centric, directory based PKI as opposed to a >> certificate based PKI in the style of Kohnfelder (X.509) or Zimmerman >> (web of trust). >> >> Which seems to suggest that X.509 isn't directory-based. But as I >> noted, the original design certainly was.... >> > > > While I could see how you could take this one sentence out of context > and view it as poorly worded, What a strange argument, since I also posted several paragraphs which I also believe imply the same thing. You may not agree with my reading, but I don't see why you're arguing that I'm taking it out of context. > let's agree that the author does not > believe X.509 was implemented outside the notion of a directory. Let me > suggest, therefore, that you propose wording to clarify. I would, but I don't really understand what the paragraph is intended to mean. -Ekr _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
