[ietf-dkim] SSP security relies upon the visual domain appearance
ietf-dkim at kitterman.com
Mon Nov 21 07:12:00 PST 2005
On Sun, 20 Nov 2005 18:37:06 -0800 Douglas Otis <dotis at mail-abuse.org>
>On Sun, 2005-11-20 at 14:49 -0500, Scott Kitterman wrote:
>> On 11/19/2005 14:50, Douglas Otis wrote:
>> > You agree that SSP does not provide a mechanism to prevent spoofing
>> > without reliance upon visual presentations...
>> No. I said pretty much the exact opposite of that.
>Here is your comment Sat, 19 Nov 2005:
>| What you are saying is that just because a message meets an SSP
>| requirement is not a safe basis for an MUA marking them somehow good.
>| I agree with that, but I think it's outside the scope of what this
>| almost working group is supposed to do.
>This clarification would seem to require an assumption that _all_
>"spoofs" can be eliminated by the strict comparison of the signing-
>domain and From addresses. Paradoxically, you also agree marking such
>messages good in some manner would be unsafe. I assumed you were
>agreeing additional "spoofing" risks not protected by this simplistic
>comparison may involve character-set uncertainty, raw puny-code, similar
>ASCII characters, or "pretty-name" presentations. If you read the SSP
>draft, visual appearance is actually stipulated.
SSP doesn't do what it doesn't do. SSP is not and does not pretend to be
the ultimate solution to phishing. Your concern appears to be with
problems that SSP is not meant to solve. Those aren't threats to SSP, but
threats to the mail system that SSP is not meant to address.
So, I still think your subject line is bogus.
>Why would better spoofing protection requiring less effort, such as out-
>of-band publishing of authorization, be outside the scope of DKIM?
I'm not aware of such a proposal.
>Why are you denying visual examination is required for the SSP approach?
It's the opposite. Visual examination is required to deal with things
outside the scope of SSP.
More information about the ietf-dkim