[ietf-dkim] The limits of DKIM and SSP

[Scott Kitterman]

On Monday 10 December 2007 08:36, Wietse Venema wrote:
> Scott Kitterman:
> > On Sunday 09 December 2007 10:07, Wietse Venema wrote:
...

> > > Conclusion
> > >
> > > We have a paradox where DKIM-BASE does not promise protection
> > > against phishing attacks, but it's near trivial to use for that
> > > purpose with a local address book; while SSP protection against
> > > phishing can be sidestepped near trivially because it is grounded
> > > in statements by a Sender Domain whose trustworthiness is unproven.
> >
> > Assuming SSP asserts something positive beyond what DKIM asserts.  It
> > doesn't. It allows a negative to be identified.
>
> It is not in the Bank's interest to say negative things about the
> Banks mail.
>
> Likewise, it is not in the Criminal's interest to say negative
> things about the Criminal's mail.
>
> SSP alone does not distinguish between mail from a Bank and mail
> from a Criminal who pretends to be a bank. That is SSP's dirty
> little secret.
>
> This was my final attempt to illustrate this fundamental problem.
> I can lead the horse to the water but I can't force it to drink.

Fair enough.  Thank you for trying again.  I think we are in agreement about 
what SSP can't do.  It seems to me that the fundamental disagreement is about 
whether the relatively small thing is can do is worth doing or not.

What you describe as a "Dirty little secret", I don't think is a secret at 
all.

SSP can help receivers identify exact domain use by external entities.  For 
some classes of domains such use is overhwhelmingly likely to be fradulent 
and SSP can give receivers a way to reliably identify unauthorized use and 
reject such mail.  It's only a very narrow piece of the phishing problem, but 
one that I find worth dealing with (even if the end result is just that such 
messages don't get sent anymore because they stop working).

Scott K