[ietf-dkim] DKIM SSP: Security vulnerability when SSP recorddoesnot exist?

[Arvel Hathcock]

> If you can show that publishing base will in no way cripple or weaken SSP 
> then I for one will get behind your plan.  If you can't, I and others 
> won't.  That is the debate here.

This was not fair of me to say because it is not possible to prove a 
negative.  My apologies Dave, and everyone.

What specifically I'm trying to get at is that by relaxing or removing the 
language from base which currently requires SSP (specifically section 6.5) 
this will render the implementation of the SSP spec an optional thing when 
today it is a required expectation of all DKIM base implementations.  If 
DKIM is meant to address the problem of unauthorized domain use in an email 
identity header then it seems counter-intuitive to make the only part of 
DKIM that directly addresses that topic an optional exercise.

However, there is another way to look at this.  The goal of the WG could be 
to address both the problem of unauthorized domain use _and_ the problem of 
the lack of an accountable identity in email.  DKIM base addresses the 
second issue while DKIM SSP addresses the first (and uses DKIM base to do 
so).  If we can charter a WG with the focus being on making a positive 
contribution toward addressing both problems (however imperfectly) then 
perhaps this isn't as bad a mistake as I thought it might be.

We can publish DKIM base with the clear understanding that it only addresses 
the accountable domain goal of the WG.  Then we can publish DKIM ssp with 
the understanding that it addresses the unauthorized use issue.

I'm coming around to thinking this might be a viable way to proceed.

-- 
Arvel