[ietf-dkim] The limits of DKIM and SSP
hsantos at santronics.com
Mon Dec 10 10:05:53 PST 2007
Dave Crocker wrote:
> Fraudulent From domains are a problem, and they certainly occur in
> massive numbers, but if bad actors can trivially use alternatives that
> are not equally protected, fixing only the fraudulent From domain issue
> is of no long-term benefit.
Yes and No.
Part of investing in solution comes with an expecting there will be high
payoff. Thats a given.
In my engineering view, there is a high payoff in eliminating one of the
most obvious frauds there is that today we have no real reliable
More importantly, when done as a group, you begin to do something that
was never done before - force the bad guy to change or adapt. Help
shift the burden and cost to the bad guy. Do nothing? Like today, the
bad guy has no incentive to adapt.
So if adapting to the other "look-alike" domains, then this will narrow
the focus of developing augmented solutions that begin to require
learning, heuristics and artificial intelligence methods.
But in the mean time, we closed one of the biggest loopholes we have
today. We force the bad guys to change - a shift in the cost burden.
> As such, anything that SSP attempts needs to be evaluated in terms of
> long-term benefits and the likelihood that there is a simple work-around
> available to bad actors.
That has been done Dave. Unfortunately, you have your own filtering
> And we certainly have not done a threats and work-arounds
> analysis for SSP.
This is so not true David. What will it take to prove it was already
done? What are you looking for?
> For each proposed SSP feature, there needs to be a statement describing
> the thread, the way that the feature will mitigate it and some
> discussion of possible work-arounds and the ease with which they can be
The analysis had already been done. There were a few proposals centered
around it and the RFC 5016 Requirements document and SSP-01 draft are
reflections of that 2+ year analysis.
That said, I do agree with you there are troubling aspects of it and
they were predicted to occur by a few people in the group.
I always felt that sound engineering will engineering prevail. To my
surprise, I wonder why it took you so long to bring up a few of these
critical points that were clearly highlighted many times here. They are
the reasons why had did other I-D proposals written.
Unfortunately, David, with all due respect, you seem to have your own
process of dissemination information. I can suggest that you begin
reading input from all interested parties and not just a selected few
you deem worthy of your attention. This is not an attack on your
person, I have a tremendous amount of respect for you, but it is an
observation of whats going on here.
Hector Santos, CTO
More information about the ietf-dkim