[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [pki-tc] Candidates for OASIS PKI TC Chair
Since DKIM relies on dns, the vulnerabilities in dns will cause problems to the keys there too, which in turn will cause legal challenges in court if any. I remember DKIM mentions long list of the issues or conditions still waiting to be resolved in order to make DKIM more secure than it is. With those potential holes, I would not think it has a strong legal binding than traditional PKI. As for gateway level encryption in DKIM, it would be a nice add-on in the future, but it does not solve the content security issue between the email client to its local gateway unless email client can talk securely with its local gateway. Then the question would be: how complicated it would go? Will it face similar problem as PKI faces now. -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren@telia.com] Sent: Thursday, April 13, 2006 10:52 AM To: Yu, Jiafu; PKI TC Subject: Re: [pki-tc] Candidates for OASIS PKI TC Chair Hi Jiafy, You are right, the goals with DKIM are not the same as with S/MIME. That DKIM does not have legal binding is though something that can be elaborated a bit. Legally binding signatures have two distinct meanings. 1. As a direct replacement of wet signatures (=automation). This is where DKIM and S/MIME currently differs since DKIM has no support in signature directives. 2. As an evidence in court. The legal systems have shown to be very pragmatic, putting folks in prison based on things like unsigned mail and IP addresses. DKIM, particularly in an organization context is likely to be as hard to repudiate as an S/MIME signature. S/MIME encryption is probably the least working PKI application there is, since it is in conflict with an organization's need for virus checking on in-bound messages as well as content monitoring on out-bound dittos. Not to mention how hard it is to use. But there is more: That millions of US public sector employees have certificates does not help much as there is no easy way you can get hold of their public keys due to privacy concerns. I always thought that the primary reason for having a public sector was for serving the society at large! Some recent, associated papers: http://middleware.internet2.edu/pki06/proceedings/rundgren-websigning.pp t http://middleware.internet2.edu/pki06/proceedings/hallam-baker-email_usa bility.ppt http://middleware.internet2.edu/pki06/proceedings/hallam_baker-usable_em ail.pdf My hope is that DKIM will get an update so that even encryption is handled at gateway level. This should be a no-brainer AFAIK. regards Anders Rundgren ----- Original Message ----- From: "Yu, Jiafu" <Jiafu_Yu@stercomm.com> To: "Anders Rundgren" <anders.rundgren@telia.com>; "PKI TC" <pki-tc@lists.oasis-open.org>; "Arshad Noor" <arshad.noor@strongauth.com> Sent: Thursday, April 13, 2006 16:02 Subject: RE: [pki-tc] Candidates for OASIS PKI TC Chair I would question statement like "That secure e-mail currently is being redesigned from the ground and up (DKIM)". The goal of DKIM is to identify who sends email mainly from smtp gateway point of view (for supressing spamming). It does have the advantage of ease of key distribution using dns for key lookup and retrieval, but it is only for message origin verification, not for message content security (encrypted like SMIME). It does not have a legal binding at this point. Secondly, depending on how we use PKI, if we mainly use PKI without legal binding as DKIM, PKI will be more popular than it is now. I still think PKI at this point is still the most effective solution in certain industry or region for its original goal(authentication, integrity, non-repudiation etc). -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren@telia.com] Sent: Thursday, April 13, 2006 8:37 AM To: PKI TC; Arshad Noor Subject: Re: [pki-tc] Candidates for OASIS PKI TC Chair >Businesses continue to search for the elusive silver bullet to >solve their security problems - but it is my belief that until >they start using PKI in many different aspects of their IT infra- >structure (along with appropriate changes to applications, >business processes and employee training), that silver bullet >will continue to elude their grasp. I think businesses should be cautious embracing a technology that not even the people who claim to know PKI, know how to apply to everyday business processes such a e-purchasing. Until such knowledge becomes common, agreed upon, and published[*], businesses betting on PKI are at risk being stuck in pretty "consultant-intensive" activities. That "secure e-mail" currently is being redesigned from the ground and up (DKIM), is another indication that the previous generation of PKI "theologists" did not actually foresee the Internet revolution. The problem is that S/MIME effectively delegates security policy enforcement down to the [nowadays often rather novice] users. The following is how secure e-mail should have been: "If I send a mail via my company, it is my company that secures it" If any of the TC chair candidates have the guts to address any of these issues, he or she has my full support. Anders Rundgren *] Go to NIST's PKI pages. Nothing Go to PKI-TC AGSC pages. Nothing Go to PKI-*. Nothing --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. You may a link to this group and all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]