Douglas Otis wrote this message on Wed, Oct 23, 2013 at 12:47 -0700:
> On Oct 23, 2013, at 11:44 AM, Dave Crocker <[email protected]> wrote:
>
> > On 10/23/2013 2:34 PM, Noel Torres wrote:
> >> On 23/10/13 19:18, Dave Crocker wrote:
> >>> On 10/23/2013 2:13 PM, Noel Torres wrote:
> >>>> I think it would be possible, and even easy for the developers, to
> >>>> program an extension to SMTP in which servers use OpenPGP among them,
> >>>> independently of any TLS/SSL usage.
> >>>>
> >>>> Why: It helps stopping spam because the receiver server can trust the
> >>>> identity of the sender, and it helps avoiding wiretapping.
> >>>
> >>> Please explain it's superiority over DKIM and SPF and DMARC.
> >>>
> >>> d/
> >>>
> >> Hi Dave
> >>
> >> In short, DKIM does not avoid wiretapping on itself, SPF does not,
> >> either, nor DMARC.
> >
> > You cited the benefit you are seeking as trusting who the 'sender' was.
> > That's an authentication/signature task, not a confidentiality/encryption
> > task.
> >
> > d/
> >
> > ps. the mere fact of authentication does not vet the trustworthiness of the
> > validated identity.
>
> Dear Dave,
>
> As you know, DKIM can not authenticate the sender. DKIM authenticates some
> unseen domain signed a portion of the message. DKIM does not confirm the
> signing domain intended to send the message to the recipient either. Nor
> does DKIM ensure valid message structure where acceptance on the basis of
> trusted DKIM signatures can be hazardous, contrary to the process described
> in the DKIM deployment RFC. In addition, because DKIM can not authenticate
> the sender, it can never abate email abuse either, nor was that ever
> described as a supported feature.
What is your definition of sender? The sender can be many different
entities in this context.. I can be the relay, it could be the domain's
email server or it could be the end user...
>From my understanding, DKIM is basicly a statement from a responsible
domain, that I have done my best to validate that this is a legitimate
email and I don't relay for untrusted people, etc...
> StartTLS is not affected by message structure and indicates the intended
> recipient as well as identifying an accountable sender. StartTLS offers a
> safe basis for trust, reputation, and acceptance. DKIM in conjunction with
> DMARC has very limited applicability and only prevents From header field
> spoofing but even then allows click-able links to be injected into a spoofed
> Subject header field.
Maybe I'm missing something, but I'm not sure how STARTTLS (plus presuably
w/ DANE) can authenticate that the client is the sender? I might be
missing the RFC/standard/etc. that allows server to auth the client cert..
In most cases I've seen, it's only the client/relay authenticating server..
> ps. DKIM authentication does not vet the message nor the trustworthiness of
> the signing domain. DKIM does not validate any identity either.
As far as my understanding, nor does STARTTLS...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
