[ietf-dkim] New Issue: Introduction lacks the introduction of SSP

Stephen Farrell stephen.farrell at cs.tcd.ie
Tue Jan 24 05:02:51 PST 2006 

Hi Hector,

Hector Santos wrote:
> I really don't like paragraph two of the introduction:
> 
>  Once the attesting party or parties have been established, the
>  recipient may evaluate the message in the context of additional
>  information such as locally-maintained whitelists, shared reputation
>  services, and/or third-party accreditation.  The description of these
>  mechanisms is outside the scope of this effort.  By applying a
>  signature, a good player enables a verifier to associate a positive
>  reputation with the message, in hopes that it will receive
>  preferential treatment by the recipient.
> 
> If the A/R issue is out of scope, then there is no need to refer.  

I'm not entirely clear what you don't like there, but rather than
explain it might be easier if you could offer a better wording?

 > This
> introduction has laid the groundwork as to HOW one may deem what is good
> or bad - reputation.
> 
> Yet, the intro lacks any introduction of SSP which the currently the
> primary mechanism to establish the assurances of the protocol as it as
> discussed throughout the document as well as any threats against it. It
> is the basis for much of the threat discussions, yet there is no
> reference or introduction to SSP as an essential part of the protection
> scheme used to address threats.
> 
> Instead, we have what is suppose to be an "out of scope" A/R discussion
> throughout the document.
> 
> The truth is, it is not out of scope. A/R discussions is found
> throughout the entire document as the an essential idea, technology or
> what have to resolved many of the issues.
> 
> We even have a TOC index for Reputation but not SSP.  Go figure.
> 
> Doesn't make sense.  What do you guys want?

Well, that's not quite accurate. 3.2.3 is called reputation attacks
and (is one paragraph that) discusses attacks against the reputation
of someone. While that may be confusing, it has no implication at
all that a reputation system is, or is not, a reasonable counter
measure and it certainly says nothing about SSP. I'd also note that
section 4.2 is basically about SSP, even if the acronym doesn't
appear in the title.

Regards,
Stephen.

More information about the ietf-dkim mailing list