[ietf-dkim] New Issue: 4.2 needs new Attack Item: Inconsistent
Signature vs Policy Attacks
Dave Crocker
dhc at dcrocker.net
Tue Jan 31 09:45:54 PST 2006
> SSP is not necessary if a valid originating address signature is found.
This has always struck me as an astonishingly powerful observation.
It means that we can have entirely independent lines of discussion. One for the
creation and handling of a successful signature. The other for all other
scenarios.
In particular, it means that the signature work can be partitioned from the
non-signature work. (To anticipate a mis-reading of this comment: I am not
saying that the two are not equally important. Merely that each can receive its
own focus of effort.)
My reading of the comments about the signature mechanism, versus comments on the
SSP mechanism, is that the former tend to represent very narrow, crisp,
technical details, whereas the latter tend to be far more conceptual.
Given that the signature mechanism was carefully designed to re-use quite a bit
of well-understood mechanism, it is not surprising that review and revision to
it can be so crisp. This tends to permit efficiently understanding the problem
and usually means efficiently fixing it.
Given that SSP pertains to a topic that has little, if any, Internet-scale
standardization or operations history, and given that it pertains to
human/organizational rules, rather than lower-level bit-twiddling, it is also
not a surprise that discussion about it requires wandering around the concept
space rather more.
d/
--
Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>
More information about the ietf-dkim
mailing list