> In which scenario Amazon would deny sending an email and you would be protected by DKIM?
You want a specific scenario of a dispute between a vendor and a customer? Ok. Let's say I email Amazon's customer support to ask them if a specific order is going to incur customs fees, and the Amazon representative emails me back that the order is not going to incur customs fees. Then I make the order, and to my surprise, I do have to pay custom fees. I contact Amazon to ask them to compensate me for the fees, but Amazon now claims that they are not responsible for custom fees. At this point I would be protected by a copy of the email where they claimed that I would incur no customs fees. If I can demonstrate to Amazon that I have proof of their false claims, prior to the purchase, they will be inclined to compensate. If they refuse to compensate, I can (depending on jurisdiction) take my claim to small claims court and present my evidence there. In this case it's unlikely for anyone to actually validate the DKIM signatures, but it does matter whether email is generally considered to be non-repudiable. If you run a campaign to make email repudiable, and make sure people should know email is repudiable, then this email will be less convincing as evidence.
If you run a campaign to make email repudiable, and make sure people should know email is repudiable, then emails will no longer be convincing evidence.
The original email spec doesn't provide any security against forgeries. The "sent from" field in email is about as secure as the "sent from" field in physical letters. The only reason why laypersons consider email to be non-repudiable is because of additional protocols like SPF and DKIM that were implemented after the original spec. Without these protocols email would be considered repudiable, which OP considers to be a preferrable outcome.
> And that commerce existed before emails?
Yes, and? I'm not claiming that all commerce would come to a halt immediately if this campaign for email repudiability was successful. Of course commerce would continue to exist. But the world would be worse off, not better. There would be slightly more disputes, and dishonest parties would increase their chances of defrauding honest parties.
> You don't need DKIM to solve the issues you've pointed out.
Are you alluding to hypothetical alternative protocols for authenticating contracts? If you can make the world move off from email, that's great! Email is horrible! But if you can't make people move away from email, you won't make the world a better place by making email less secure.
> Again: How many disputes like that have been resolved with DKIM?
How many? As in, you expect me to have statistics on it? Are we pretending that when people resolve disputes, they mark their disputes in some kind of global database that we can query for statistics? You're not making any sense.
> The only reason why laypersons consider email to be non-repudiable is because of additional protocols like SPF and DKIM that were implemented after the original spec
You really think that laypersons have any idea of what DKIM is?
> But the world would be worse off, not better.
That's the whole point of this discussion. You seem to be arguing that the world would be better with non-repudiable email. But then I ask how many disputes have been resolved with DKIM and you have no idea. So basically your argument has zero basis in reality.
You're asking for every email user to have non-repudiation enforced unwillingly to them in every email they send so that someone maybe someday may solve some imaginary dispute with Amazon by using DKIM.
> You really think that laypersons have any idea of what DKIM is?
The layperson doesn't have to understand the intricacies of email protocols, it's enough that they consider email to be non-repudiable. This is why a copy of an email typically suffices as "proof" of a contract. If you successfully run a campaign to make email repudiable, then laypersons will no longer consider email to be non-repudiable, and emails no longer suffice as "proof" of a contract. If you disagree with something I said here, can you specify which part it is exactly that you disagree with?
> You seem to be arguing that the world would be better with non-repudiable email.
Yes, the world is better off now, at a time when laypersons consider e-mail to be non-repudiable, compared to a hypothetical future where this is no longer the case.
> But then I ask how many disputes have been resolved with DKIM and you have no idea. So basically your argument has zero basis in reality.
So if I can't give the exact number of times that DKIM has helped in dispute resolution, then my argument "has zero basis in reality"? This doesn't make any sense. If I said that "the existence of courts prevents vigilantes", you could say the same thing: "well what's the exact number of times that the existence of courts has prevented vigilanteeism? ha! you don't know the exact number! your argument has zero basis in reality then." We could apply your logic to many other scenarios: what's the number of times that existence of guards has prevented prison breaks? What's the number of infections prevented by vaccines? We don't know the exact numbers for any of these things, and yet we can logicly deduce that courts prevent vigilantes, guards prevent prison breaks, vaccines prevent infections, and DKIM prevents breaking contracts.
> You're asking for every email user to have non-repudiation enforced unwillingly to them in every email they send so that someone maybe someday may solve some imaginary dispute with Amazon by using DKIM.
Laypersons already believe that emails have non-repudiation property. People are free to use secure messengers to communicate privately. When people choose to communicate with email, they are choosing non-repudiation over privacy. You are the one who is asking to change e-mail protocols so that they would work differently than people currently expect. I'm the one saying e-mail should work like people expect e-mail to work.
> The layperson doesn't have to understand the intricacies of email protocols, it's enough that they consider email to be non-repudiable.
They consider it non-repudiable not because of DKIM, it's just a common misconception. People believed that before DKIM. They will still believe it if Google discloses its DKIM keys.
They totally should not believe it, though.
> So if I can't give the exact number of times that DKIM has helped in dispute resolution, then my argument "has zero basis in reality"?
Of course that's not what I meant, I don't care about exact numbers. Just give me some evidence that DKIM is relevant to solve disputes anywhere else other than in the minds of HN commenters. Otherwise your claim that the world is better off now with non-repudiable email has no basis in reality.
> they are choosing non-repudiation over privacy
They totally are not. They have no idea what are the properties of email. As an example, a non-tech friend of mine was once surprised that email does not provide any confidentiality.
We're discussing a campaign whose goal is to increase the deniability of email. When you say things like "they will still believe [email is non-repudiable] if Google discloses its DKIM keys", you're essentially saying that this campaign will not be successful in its ultimate goal - that even if the campaign manages to get Google to periodically rotate and publish their DKIM keys, it will not achieve the desired effect of increasing the deniability of email. So, you're saying that this campaign is a fool's errand?
I don't have a strong opinion on the chances of success that this campaign has. What I am saying is that if the campaign was successful in increasing the repudiability of email, that would make it easier for people to repudiate emails that they've sent, and that would be a bad thing in the context of resolving disputes. Do you agree?
