[ietf-dkim] Collection of use cases for SSP requirements
wietse at porcupine.org
Thu Nov 9 06:11:21 PST 2006
> c) paypal-payments.com publishes that note. I don't want their mail
> whether they verify or not.
> >>C is not the problem SSP is meant to solve.
> SSP can solve or substantially help exact domain forgery. Some
> of us think that's useful, some don't.
It's certainly useful for the bad guys behind paypal-payments.com
etc. After all, their own SSP record says their mail is authentic.
SSP helps the bad buys to create an *illegitimate* sense of security
from a *legitimate* DKIM-base result.
I find that very, very, embarassing.
SSP does not help customers to find out if paypal-payments.com is
their paypal bank. For that, DKIM-base results need to be used in
a more appropriate manner. We had lengthy discussions on that
already here, and they are already archived for eternity.
More information about the ietf-dkim