[ietf-dkim] Re: I-D ACTION:draft-ietf-dkim-overview-04.txt
Hector Santos
hsantos at santronics.com
Wed Mar 14 16:51:35 PST 2007
Steve Atkins wrote:
>
> On Mar 14, 2007, at 1:28 PM, Hector Santos wrote:
>
>> I could be wrong, but I believe he was referring to backward
>> compatibility issues with a new legacy market of DKIM-BASE only
>> systems vs DKIM-BASE PLUS SSS systems.
>
> Are you suggesting that deploying SSP will break dkim-base? Could you
> explain how, if so?
Yes and No.
The answer to your question depends on many factors, but it is really
quite simple. This scenario is not new. Code Red and similar threats is
based on the premise that there exist of market of old and legacy systems.
Given two sets of RECEIVERS:
RECEIVER-A: Legacy DKIM-BASE system. Supports DKIM-BASE only
RECEIVER-B: Updated to support DKIM-BASE+SSP
and given a DOMAIN that has determined that it "better" to use SSP than
not use SSP, therefore it uses a strong SSP policy for signing.
then who do you think the BAD GUY will target?
Simple: RECEIVER-A
RECEIVER-A will bare the blunt of the premature decisions. The DOMAIN
reputation will be harmed because there exist a legacy of DKIM-BASE only
systems that bad guys will target.
So using the word "break" is not a term I would use. But I would say
that the promotion and recommendation that it is SAFE to use DKIM-BASE
without any helper technology is in my strong opinion, a very poor
engineering decision because it HARM receivers and domains.
Of course, RECEIVER-A would have to upgrade and I believe that is
question Mr. Lear was poising to Mr. Powers. Will systems upgrade at a
later point?
Of course, I think the answer is YES if such systems realize that its
better to upgrade. But we can only hope it is sooner than later so that
we minimize the number of legacy of DKIM-BASE only systems.
Hope this helps
---
HLS
More information about the ietf-dkim
mailing list