Alessandro Vesely wrote in <652789f7-0a0a-f8db-11f9-2558bc9ec...@tana.it>: |On Thu 17/Aug/2023 04:45:48 +0200 Bron Gondwana wrote: |> On Tue, Aug 15, 2023, at 21:36, Alessandro Vesely wrote: |>> On Tue 15/Aug/2023 08:10:23 +0200 Bron Gondwana wrote: |>>> We've love to not sign spam at all, but short of never allowing \ |>>> users to send email, it's not actually possible. We're not trying \ ... |>> The whole concept of domain authentication is questionable if domains \ |>> have no |>> idea who their users are. |> |> At scale, there's always going to be a small percentage of bad users \ |> / hacked users on any system. Hence trying to make domain authenticatio\ |> n not so valuable that getting it on a message is super powerful. | |What is the value of domain authentication? And what should it be? | |To answer, consider you bought goods or services for a large amount. The |invoice arrives by email specifying the exact amount and the bank account \ |code. | The mail is DKIM-signed. Up to what amount would you trust and pay \ | without |calling?
I think DKIM verifies source domains. That is a value by itself. With an extension it can also provide a locked contract about desired receivers; be made proof against malicious signature removals; and allow restoration of original content so that each modification can be undone; cryptographically secure from top to bottom. (If "from station to station" (the enhanced) DKIM is applied.) To answer your question. I do not yet pay digitally. I wonder whether we should start paying with salt again, or such. But if not, and if my bank (i have one) sends me a signed message, i think i would trust it. More, usually (it happened in the past) they then point to their web site, where you then *do*, and isn't the certificate of that website, which itself is likely verified by some CA in some CA pool that you do not have control over, or do not exert control over, also because the interface is user unfriendly, a much bigger problem, also security-wise, than the DKIM signature? Especially with DNSSEC etc etc? I personally do have my own $ env|grep SSL SSL_CERT_FILE=/home/steffen/sec.arena/tls.git/cacert.pem which derives from (what else?) (Google-paid) Mozilla, via (what else?) cURL mk-ca-bundle.pl, and is then adjusted a bit, automatically. However, i filter out some old stuff etc., i keep, and have to keep, of course, most of them in. This is all commercial, is it. (Now that the certificate of the Netherland was removed around December last year.) Very western stuff!! Unfortunately firefox does not pick that "standard" SSL_CERT_FILE up when it starts. :-( Heck i trust an unbelievable amount of someone because they paid for it! Compared with DKIM, where i put *my domain* into the DNS. Of course a service with billions of users has a problem. But the solution to that problem has, in my opinion, nothing to do with DKIM. And keys can always be stolen, no matter what service. And here i think DNS with its automatization and TimeToLive has a better stance than for example a billion local CA pools on this world. (Let aside that OCSP and rejection list verification are also often not used at all, or not up to date, etc.) --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) _______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
