[ietf-dkim] Re: ISSUE 1521 -- Limit the application of SSP to
hsantos at santronics.com
Thu Jan 24 20:06:16 PST 2008
Steve Atkins wrote:
>> It is would be one thing to kill SSP for its technical merits, but no
>> one has SHOWN it is flawed system. NO one.
> Sure they have. Numerous times. Anyone who doesn't recognize that it
> has flaws is, honestly, not technically knowledgeable enough to be able
> to offer anything useful to the spec development.
All the concerns are directly attributed to SSP threatening reputation
services. Case in point, Dave's Deployment Drafts has no SSP
consideration, never had any consideration for it and it is 100% tied to
reputation. The deployment guide specifically states:
Unless a scheme can correlate the DKIM signature with
accreditation or reputation data, the presence of a DKIM
signature SHOULD be ignored.
And that implies even a VALID signature. So the DEPLOYMENT draft changes
the semantics of DKIM-BASE itself to one where DKIM-BASE is now deemed
useless unless a reputation system is in place. Go figure.
SSP lowers the need to reputation services and everyone with a good
engineering, product development and marketing sense can see that.
SSP is a 100% perfectly viable and top notch engineers, good people,
like Eric, Jim, including myself, Arvel and many others contributed
greatly to the specs and believe it has value WITH and WITHOUT
signatures. To suggest we are all WRONG is offensive. The fact is, we
were not wrong.
> That SSP has some serious flaws isn't, in itself, a reason not to develop
> it and deploy it.
Can you outline the serious TECHNICAL flaws? I have a feeling you will
not be able to.
> But if the people who are developing the specification
> are not capable of recognizing that there are flaws, we have a problem.
No, we have a problem with the self-interest promotions of direct
marketing related people here who want their cake and eat it too, at the
expense at all others.
The bottom line, truth be told, SSP threatens the adoption rate of any
reputation service. It needs to be stated because all this has gotten
out of hand. You have to question why Dave had endorsed 5016 only to
come back later acting like he knew nothing about it. Wasted everyone's
>> Purely based on self interest, and unfortunately we have a few cogs
>> who are masters of getting things KILLED if they want it to DIE.
>> It is a very SAD that not enough the technical developers are here to
>> mandate the direction.
> On the contrary. It's those with most technical experience who see the
> flaws in it, generally.
And generally that is true, but that hasn't happen here, and quite
frankly, you are in no position to question anyone's technical experience.
Since day one, John and Dave never had any sincere interest in seeing
SSP get developed or allow for it to get develop by others. None of
them have any interest in it - period. It didn't serve their purpose.
In fact, it hampered the push for reputation services.
Since day one all these issues were on the table, the multiple
co-authors and the 3rd party issues, so there is nothing new here.
Now, not even the watered down STRICT/ALL policies are good enough and
now we have a marketing campaign and Deployment Draft that is 100%
designed around reputation, NO SSP consideration whatsoever, not even
for NONE signatures. In fact, not even a valid signature is good enough
unless its tied to reputation.
That is not a technical issue. That was a strategic business design
decision to promote reputation services.
So lets get it out because the bottom line, there was never any sincere
technically driven group effort to squeeze out all the issues *without*
a REPUTATION concept clouding the issues.
Hector Santos, CTO
More information about the ietf-dkim