[ietf-dkim] Re: ISSUE 1521 -- Limit the application of SSP to unsigned messages

[Hector Santos]

Steve Atkins wrote:

>> It is would be one thing to kill SSP for its technical merits, but no 
>> one has SHOWN it is flawed system. NO one.
> 
> Sure they have. Numerous times. Anyone who doesn't recognize that it
> has flaws is, honestly, not technically knowledgeable enough to be able
> to offer anything useful to the spec development.

I disagree.

All the concerns are directly attributed to SSP threatening reputation 
services.  Case in point, Dave's Deployment Drafts has no SSP 
consideration, never had any consideration for it and it is 100% tied to 
reputation. The deployment guide specifically states:

    Unless a scheme can correlate the DKIM signature with
    accreditation or reputation data, the presence of a DKIM
    signature SHOULD be ignored.

And that implies even a VALID signature. So the DEPLOYMENT draft changes 
the semantics of DKIM-BASE itself to one where DKIM-BASE is now deemed 
useless unless a reputation system is in place.  Go figure.

SSP lowers the need to reputation services and everyone with a good 
engineering, product development and marketing sense can see that.

SSP is a 100% perfectly viable and top notch engineers, good people, 
like Eric, Jim, including myself,  Arvel and many others contributed 
greatly to the specs and believe it has value WITH and WITHOUT 
signatures.   To suggest we are all WRONG is offensive.  The fact is, we 
were not wrong.

> That SSP has some serious flaws isn't, in itself, a reason not to develop
> it and deploy it. 

Can you outline the serious TECHNICAL flaws?  I have a feeling you will 
not be able to.

> But if the people who are developing the specification
> are not capable of recognizing that there are flaws, we have a problem.

No, we have a problem with the self-interest promotions of direct 
marketing related people here who want their cake and eat it too, at the 
expense at all others.

The bottom line, truth be told, SSP threatens the adoption rate of any 
reputation service.   It needs to be stated because all this has gotten 
out of hand.   You have to question why Dave had endorsed 5016 only to 
come back later acting like he knew nothing about it.  Wasted everyone's 
time.

>> Purely based on self interest, and unfortunately we have a few cogs 
>> who are masters of getting things KILLED if they want it to DIE.
>>
>> It is a very SAD that not enough the technical developers are here to 
>> mandate the direction.
> 
> On the contrary. It's those with most technical experience who see the
> flaws in it, generally.

And generally that is true, but that hasn't happen here, and quite 
frankly, you are in no position to question anyone's technical experience.

Since day one, John and Dave never had any sincere interest in seeing 
SSP get developed or allow for it to get develop by others.  None of 
them have any interest in it - period.  It didn't serve their purpose. 
In fact, it hampered the push for reputation services.

Since day one all these issues were on the table, the multiple 
co-authors and the 3rd party issues, so there is nothing new here.

Now, not even the watered down STRICT/ALL policies are good enough and 
now we have a marketing campaign and Deployment Draft that is 100% 
designed around reputation, NO SSP consideration whatsoever, not even 
for NONE signatures.  In fact, not even a valid signature is good enough 
unless its tied to reputation.

That is not a technical issue.  That was a strategic business design 
decision to promote reputation services.

So lets get it out because the bottom line, there was never any sincere 
technically driven group effort to squeeze out all the issues *without* 
a REPUTATION concept clouding the issues.

-- 
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com