[ietf-dkim] The limits of DKIM and SSP

Hector Santos hsantos at santronics.com
Mon Dec 10 10:05:53 PST 2007 

Dave Crocker wrote:

> Fraudulent From domains are a problem, and they certainly occur in 
> massive numbers, but if bad actors can trivially use alternatives that 
> are not equally protected, fixing only the fraudulent From domain issue 
> is of no long-term benefit.

Yes and No.

Part of investing in solution comes with an expecting there will be high 
payoff. Thats a given.

In my engineering view, there is a high payoff in eliminating one of the 
most obvious frauds there is that today we have no real reliable 
protection against.

More importantly, when done as a group, you begin to do something that 
was never done before - force the bad guy to change or adapt.  Help 
shift the burden and cost to the bad guy.  Do nothing?  Like today, the 
bad guy has no incentive to adapt.

So if adapting to the other "look-alike" domains, then this will narrow 
the focus of developing augmented solutions that begin to require 
learning, heuristics and artificial intelligence methods.

But in the mean time, we closed one of the biggest loopholes we have 
today.  We force the bad guys to change - a shift in the cost burden.

> As such, anything that SSP attempts needs to be evaluated in terms of 
> long-term benefits and the likelihood that there is a simple work-around 
> available to bad actors.

That has been done Dave.  Unfortunately, you have your own filtering 
process.

> And we certainly have not done a threats and work-arounds 
 > analysis for SSP.

This is so not true David. What will it take to prove it was already 
done?  What are you looking for?

> For each proposed SSP feature, there needs to be a statement describing 
> the thread, the way that the feature will mitigate it and some 
> discussion of possible work-arounds and the ease with which they can be 
> used.

The analysis had already been done. There were a few proposals centered 
around it and the RFC 5016 Requirements document and SSP-01 draft are 
reflections of that 2+ year analysis.

That said, I do agree with you there are troubling aspects of it and 
they were predicted to occur by a few people in the group.

I always felt that sound engineering will engineering prevail. To my 
surprise, I wonder why it took you so long to bring up a few of these 
critical points that were clearly highlighted many times here. They are 
the reasons why had did other I-D proposals written.

Unfortunately, David, with all due respect, you seem to have your own 
process of dissemination information.  I can suggest that you begin 
reading input from all interested parties and not just a selected few 
you deem worthy of your attention.  This is not an attack on your 
person, I have a tremendous amount of respect for you, but it is an 
observation of whats going on here.

-- 
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

More information about the ietf-dkim mailing list