[ietf-dkim] Comments on SSP Review BASIC ISSUES

[Steve Atkins]

On Dec 4, 2007, at 3:45 PM, Arvel Hathcock wrote:

> Hi!
>
> I'm sure others will make more intelligent comments but I have a  
> few that I'd like to offer.
>
> First, text in the SSP draft states repeatedly that receivers are  
> free to dispose of their messages as they see fit so I think that  
> certain and frequent comments in the Review to the contrary are  
> incorrect.
>
>> In general, the draft needs to consider adoption incentives for  
>> receivers.
>
> SSP offers itself as a means to detect unauthorized domain use.   
> That is sufficient incentive for adoption by receivers.

It doesn't provide a reliable means to detect unauthorized domain  
use. That alone is sufficient reason for receivers (and many senders)  
to be skeptical about deployment.

How unreliable it is we don't know yet, but until we have more  
operation experience with DKIM it's reasonable to assume the worst.

If it starts being deployed and we discover that the SSP false- 
positive rate is too high we'll lose a huge amount of time rolling  
back deployment of SSPv1 and working on a more realistic SSPv2.

The SSP false-positive rate will be driven primarily by the DKIM  
false-negative rate. As that's a critical piece of data needed to  
complete the SSP design to a level of quality suitable for widespread  
deployment the wisest course of action would seem to be to wait until  
we have wider DKIM deployment and more DKIM operational experience,  
and then to gather that data.

(In parallel with gathering that data we could also take more time to  
deal with some of the other issues with SSP semantics in a broader  
forum, with more input from from real-world senders and receivers,  
rather than the small subset currently looking at it).

Cheers,
   Steve