[ietf-dkim] SSP = FAILURE DETECTION
wietse at porcupine.org
Tue Sep 12 10:30:14 PDT 2006
> >>>What was the advantage of SSP with look-alike domains?
> >> To find large unproductive ratholes? Neither DKIM or SSP claim
> >> to have any direct effect on look-alike domain names, and
> >> there's nothing in our
> > DKIM_BASE allows a recipient to distinguish mail from the bank from
> > look-alike mail that pretends to be from the bank. That information
> > comes in the form of the signing domain.
> > SSP has an advantage when we assume that criminals are stupid enough
> > to keep sending forged mail. It has no advantage with look-alike
> > attacks. Guess what criminals will do.
> hmmmmmmmmm, unless I didn't follow you right, I fail to see the distinction
> or your point.
I get mail that pretends to be from my bank. The SSP says the mail
is 100% pure non-forged. However, the DKIM-BASE signing domain is
not in my list of trusted signing domains. I get a warning that
this mail could be sent by a party that I have no relationip with.
This may be a revolutionary concept to some, but a widely used
application called ssh has been using such tricks for 10 years.
Its approach to opportunistic authentication is not perfect for
purists, but it works for real people.
Having gone in circles twice, I think this is a good time to step
out of this thread.
More information about the ietf-dkim