Fri, 17 Feb 2006

DomainKeys versus DKIM knockdown

Background

Currently, it's trivially easy to forge an email. Doesn't take any skill whatsoever: you just write what you want, and the recipient's email program will believe you. That was fine when the Internet was a backyard toy, but it's hit the big time, and forgery is rampant.

Most of us are merely tired of it, but Yahoo got tired and angry, got off their butts and did something about it. They wrote the DomainKeys standard, and published it for everyone to use. They've implemented it, as have Google Mail and EarthLink. DomainKeys isn't being considered by the IETF as standard; DKIM is.

The Controversy

The problem, as I see it, and I'm biased, is that DKIM isn't any better than DomainKeys. Or, if you feel differently and think that DKIM is technically better than DomainKeys, I'll point out that an scrawny implemented bird in the hand is infinitely better than any number of flocks of big fat juicy unimplemented undeployed pre-standard birds in bushes. Whatever flaws in DK which are repaired in DKIM aren't worth the market confusion that DKIM is causing.

The only reason DKIM exists is because some people saw DomainKeys, and (for some unholy reason) said "That's a great idea, but we have to be seen as leading the marketplace with our own standard, so we'll create IIM which is only slightly different and not any better than DK, and immediately offer a compromise standard called DKIM". Of course, you've never seen an IIM signature because nobody has actually deployed IIM.

So, yeah, I'm one of the people who is willing to say "Ignore the IETF; ignore DKIM; implement DomainKeys without delay, because it's the only usable, existing, implemented, and deployed email signing standard; there is no other game in town, and all other games are less likely to be ask successful."

My Conclusion

DKIM is teh suck. If you're waiting for it, you're wasting your time. Implement DomainKeys TODAY. Join sendmail and qmail (the #1 and #2 MTAs on the Internet), Google Mail, and Yahoo in signing your email.

DKIM is doing to DK what Sender ID did to SPF. Insist that the IETF standardize on the standard instead of pulling an ISO and chasing paper standards.

Posted [02:20] [Filed in: opensource] [permalink] [Google for the title] [digg this]
qrcode