[ietf-dkim] Collection of use cases for SSP requirements
Dave Crocker
dhc at dcrocker.net
Thu Nov 9 07:40:37 PST 2006
Charles Lindsey wrote:
> Well at least it is a start to force the phishers into using look-alikes.
As soon as banks start signing their messages and there are credible whitelists
for their domain names, doesn't this end the ability for phishers to use those
domain names in the rfc2822.From field?
Therefore, how does SSP have any effect?
That is, if the message is signed and the whitelist says the signer is a Good
Actor, the the message is handled with a favorable eye. If the message is not
signed, it is handled with a suspicious eye.
Exactly where does SSP fit into the protection scheme?
What use case does it cover?
Exactly which SSP flag/mechanisms is it that provide this additional benefit?
>> Many of them use their own domains, for which they could trivially
>> publish SSP data.
>
> Which is where we need sites on which "reputations" can be queried.
Exactly. In which case, what is the need for SSP?
And, since I happen to think that SSP *can* provide some utility, here's the
case that makes sense to me:
For domain names that are in the whitelist, an SSP flag that says "I sign
everything" gives me the ability to handle unsigned messages using that domain
name in the rfc2822.From (or rfc2822.sender?) field with *extreme* prejudice.
This seems useful to me.
Not earth-shakingly great, but at least useful.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
More information about the ietf-dkim
mailing list