[ih] DKIM history, was IETF relevance (was Memories of Flag Day?)

Dave Crocker dhc at dcrocker.net
Wed Aug 30 07:06:57 PDT 2023 

>> IIM protected the integrity of fetching the key record using TLS.
...
> Depends on what your goals are. At least until Let's Encrypt came
> along, TLS certs were a lot harder to deploy than just publishing a
> key record in the DNS. People use DKIM to associate a domain with a
> message to develop reputations for mail filtering, not for stronger
> assertions or non-repudiation. For that purpose it's been a wild
> success, partly due to its relatively easy deployment.
>
> On the other hand, if you want high strength certificate signatures on
> your mail, S/MIME has always been there and is notable for its lack of
> use outside of some niche applications.
>
> I don't think I've ever seen the kind of attack that DNSSEC defends
> against in the wild, certainly not against DKIM records, so in
> practice it's secure enough. Perhaps by accident we made the right
> tradeoff.

DKIM's job is to provide a reliable identifier for distinguishing an 
email transit stream.  A very modest goal that is nothing like providing 
long-term content authentication.

Design is tradeoffs.  Cost vs. benefit.  It is common to focus too much 
on the presumed benefit, without much attention to cost. So, for 
example, very careful clarity about the purpose of a spec is essential, 
as is very careful consideration of the costs -- implementation, 
operation, use -- for alternative design choices.

By way of example, layering some usage conventions on top of an existing 
global query service is /far/ less expensive and /far/ less risky than 
requiring development and deployment of a brand new global query 
service.  Possibly uglier.  But much cheaper and much lower barriers to 
adoption.

Besides the DNS, there is no other global Internet query service that 
has integrated functional semantics.  The web might be mistakenly 
thought to be one, but it isn't.  It is a global mechanism for accessing 
a very large number of entirely independent query services.  Quite 
different from the nature and benefit of an integrated service like the DNS.

d/

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker at mastodon.social

More information about the Internet-history mailing list