> On Dec 6, 2022, at 14:23, Michael Thomas <[email protected]> wrote:
>
>
> On 12/6/22 2:05 PM, [email protected] wrote:
>> I very much disagree with everything the above poster said.
>>
>> Deniability is a default property of all e2ee messaging apps; it’s both
>> surprising and disheartening that email — a largely unencrypted medium —
>> fails to provide deniability for its users. If we said that signal was
>> behaving this way, or TLS, or any other e2ee protocol, we’d be up in arms.
>>
> If you want deniability you need to do it some other way. You have absolutely
> no control over the receiving domain and little to no control over the
> sending domain as well. Even if this wg produced a BCP, BCP's are toothless
> and rely on good will when there may be none or can't be bothered. Even
> unsigned mail can make for good circumstantial evidence.
I'm very much pro-signature removal.
I'm going to disagree with Mike a bit in that *deniability* is not what we
want. What we want is not creating a mostly-valid non-repudiation. (Me, I don't
think deniable encryption is possible, but that's another long discussion.)
There have been a few cases where DKIM signatures were used to verify hacked
email accounts.
However, as you know, DKIM authenticates the Administrative Domain not the
user. We know that if someone were to be able to do simple SMTP forging to an
outgoing MTA, the MTA would sign the message despite it not coming from the
user.
The purpose of a DKIM signature is, as our original statement put it, to make
sure that a message from your bank actually came from your bank, even if it
passed through your alumni association. Once it arrives to your real mailbox,
that signature is not needed.
Frankly, there are plenty of other headers that ought to be removed as well.
That is also another long discussion that I don't want to rathole on. In any
event, email leaks all sorts of information about senders, intermediate
domains, and more and this is a real issue. It's just one we're used to.
Jon
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
