[ietf-dkim] Tracing SSP's paradigm change
steve at blighty.com
Thu Dec 6 10:11:43 PST 2007
On Dec 6, 2007, at 9:58 AM, Scott Kitterman wrote:
> On Thursday 06 December 2007 12:49, Steve Atkins wrote:
>> In a well-designed protocol based on DKIM, yes I'd agree that a
>> validly DKIM signed message should not provoke an SSP query.
>> But that's not the protocol we have.
>> I think RFC 5016 shows a lack of understanding of DKIM (or is
>> not to consider some important features of DKIM), and is
>> part of the push to try and build a next generation SPF on
>> an inappropriate base authentication technology.
> I think you aren't understanding the purpose of SSP at all.
> If any random signature from any domain obviates the SSP, what
> possible use is
Bill Oxley observed across threads "When it comes to discussing
SSP I hear a lot of noise with very little reason to implement or use
except in a few specific cases like highly phished sites."
There's a long discussion to be had there, which starts with me
asking "Well, what's your threat model?" and would ideally follow
with "So, given this framework, what is your attack tree, and how
does SSP help thwart it?", but when I've tried to have that discussion
in the past it's not gone anywhere productive
More information about the ietf-dkim