[ietf-dkim] DKIM SSP: Security vulnerability when SSP record does
not exist?
Douglas Otis
dotis at mail-abuse.org
Wed Aug 24 11:44:20 PDT 2005
On Aug 24, 2005, at 11:14 AM, Scott Kitterman wrote:
>
> What you are asking is what won't SSP accomplish. It's difficult
> to answer those questions before the design work is done. So lets
> quick arguing about if it should be done. Get it done and see what
> it buys us.
Before setting out on change, establish realistic expectations.
Currently your conversations should be related to that goal. What
will domain-wide assertions accomplish? What threats will this
address? There are a few areas where domain-wide assertions relating
to use of a protocol could be beneficial, such as when detecting
unauthorized servers. Beyond the immediate domain and server, things
are rather murky.
Spend some effort explaining what you envision.
Provide realistic assessments of what it can accomplish with respect
to current problems.
Play devil's advocate with what new risks could be created.
When you say get 'it' done. I can only guess what you mean. Hardly
a basis for a charter. : )
-Doug
More information about the ietf-dkim
mailing list