[ietf-dkim] DKIM SSP: Security vulnerability when SSP record
does not exist?
Scott Kitterman
ietf-dkim at kitterman.com
Thu Aug 25 05:33:04 PDT 2005
Douglas Otis wrote:
>
> On Aug 24, 2005, at 6:05 PM, Dave Crocker wrote:
>
>> On Wed, 24 Aug 2005 17:56:55 -0700, Douglas Otis wrote:
>>
>>> It is not the SSP statement that is the problem, but confusion about
>>> forgery protections.
>>>
>>
>> The concern I was responding to was quite clearly stated and specific
>> in its
>> focus.
>>
>> It had nothing to do with forgery protection, but rather the
>> scheduling of work
>> on SSP.
>
>
> After a lengthy discussion with Scott, it is clear he holds
> expectations that DKIM's sole role is protecting the mailbox-domain.
> This is expressed within the lead-in phrase "Forgery of headers that
> indicate message origin". While the signature of the message may
> encompass other headers, there is no assured relationship between the
> signing domain and whatever may appear within a header 'assumed' to
> indicate a message's origin. The lead-in phrase of the charter is
> misleading as it does not speak to those uses where there is no
> relationship whatsoever between the mailbox-domains and the signing-
> domain. Mailbox-domains and the signing-domains being different is
> even likely the typical case.
>
Please quote the post where I said that was DKIM's sole role.
I certainly said that it (meaning forgery protection) is the application
that's of most interest to me.
Scott Kitterman
More information about the ietf-dkim
mailing list