On Wed, 25 Apr 2007, Jeroen Massar wrote:
> The 'case against' OpenPGP according to DKIM folks and a lot of other
> such groups:
> - No established PGP web of trust (the key distribution)
I'd expect X.509 to be the more realistic trust mechanisms..
> - hard to deploy for 100.000 clients
> (DKIM you simply install on the mailservers, other mail
> will get bounced as not being signed properly, users will need
> to use the upstream servers)
That's great, but see end-end. You won't be able to drop
DKIM-bad-signature mails. If you use it for whitelisting, what's the
point?
> - OpenPGP doesn't sign the headers, thus one can easily change
> the subject or the MIME boundaries etc. But of course parts are
> then not signed and one can simply choose to not accept the message
> or ignore those parts.
Why do you need to sign the headers?
Really, you care that the message came from the person who sent it,
and has not been tampered with (for purposes of anti-phish at least).
Neither I, nor my parents, care a flying fsck about MTA added headers
and whether they're authentic, when deciding upon authenticity of
email.
At most, a MIME section to allow MUAs to add a signature for MUA
supplied headers - hell, a simple convention, as DKIM uses, on how to
arrange headers+message for an HMAC.
> DKIM is for ISP deployment. One place, one admin, one huge amount of users.
So you're saying ISPs are going to drop email based on lack of or
failling DKIM? Or that'll maintain per-user whitelists? Course not..
It'll be passed on for users' MUAs to do.
The whole "check it in the middle" idea is bogus, cause there's no
coherent policy to apply until the *end user* gets it..
> Of course MUA's can check it next to the MTA. The place where it
> gets checked is the place where the message can be rejected.
Why would you reject the message?
Again, what specific, high-level *goal* are you trying to achieve?
Cause "ability to reject mail, somewhere, based on DKIM validation,
according to some unspecified policy" doesnt cut it - that's just
technology for the sake of technology. Again, not even the DKIM RFCs
provide any real rationale, just vague, wishy-washy claims that
domain-attestation would achieve something.
Why should it /not/ be done in the MUA, the most natural place?
> I have been smoking the OpenPGP crack pipe for a long time already
> now. Still, as no large entity uses it it doesn't help much,
Help what exactly???
Still awaiting /someone/ to say what actual /good/ DKIM would
achieve. We've had the hype already with SPF, and it achieved
nothing. We now have DKIM: SPF with some of the flaws fixed, and
still /no rationale/ for its existance, beyond:
"Well, it would stop Paypal, Amazon, etc.., phish mail!"
Yay!
So lets all deploy DKIM just so ISPs can DKIM-whitelist big name
domains.
BTW, exactly how will those DKIM whitelists be maintained?... ;)
How many banks are there in the world again?
regards,
--
Paul Jakma paul at clubi.iepaul at jakma.org Key ID: 64A2FF6A
Fortune:
It is not for me to attempt to fathom the inscrutable workings of Providence.
-- The Earl of Birkenhead
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
