[ietf-dkim] DKIM SSP: Security vulnerability when SSP record
does not exist?
Scott Kitterman
ietf-dkim at kitterman.com
Mon Aug 22 08:35:16 PDT 2005
I really don't have an opinion on your revocation identifier idea. I
thought we were discussing scope of the WG effort rather than the design
of the product.
I also think that we are pretty much going in circles at this point.
To summarize, you think that SSP is dangerous, won't do what it's
proponents claim, and can't be fixed. Thus SSP and it's ilk shouldn't
be dealt with by the working group. You believe that there are other,
better ways to solve whatever problem it is that you are trying to solve.
I, and I believe others, think that SSP is essential and that while DKIM
signatures alone may have some value, the marginal utility for DKIM
absent some expression of sender policy is low.
Personally, I don't think we want to build a base spec that requires the
SSP work to finish concurrently. I don't think it's necessary. What I
think we absolutely need to avoid is a charter that just does that base
and defers SSP to some future effort. The charter needs to include both.
Scott Kitterman
More information about the ietf-dkim
mailing list