[ietf-dkim] SSP vs. reputation

Hector Santos hsantos at santronics.com
Fri Jan 25 10:51:46 PST 2008 

MH Michael Hammer (5304) wrote:

>> The end result is that if you see my messages are "special", 
>> then you know that you can't "resend" it as "me."
>>
> 
> All your messages are special!

If you wrote it, its special. Period. :-)

>> Your MUA should tell ya
>>
>>      "Sorry, you can't do this. This message is Special."
> 
> I agree that a well behaved MUA would do this. BAD MUA! BAD!

Not checking it offhand, I wonder how current MUA PGP or currently 
supported mail integrity technology handle the "resending" of digitally 
signed mail.  Does it make a point of popping up?

      "Resending this message as new MAY break the integrity"

In any case, this would be item in the checkoff list for new DKIM/SSP 
ready MUA designs.

>> We can't have it both ways.  The same way of doing things and 
>> expect to get the security we are seeking.
>>
> 
> +1 

"Who moved my cheese?" (http://www.whomovedmycheese.com) is my 
recommended book to those afraid of change.

> Found this interesting article which is germane even if I don't agree
> with the authors conclusion and desire to pull an "Al Hague".  
> E-mail and its security discontents
> Why Microsoft, Cisco, IBM and others need to step up to protect SMTP
> http://www.arnnet.com.au/index.php/id;1603491549

I bookmarked this to read it later on today.

>> Something has to give and this one is perfectly acceptable to 
>> me because it helps secured my domains as I intended it to be 
>> secured with a DKIM=STRICT.

> And this desire for protection grows as we all run in circles. The other
> day I was going through some boxes that had been sitting in my basement
> for a (long) while. Found a box filled with internet industry magazines
> from the mid-to-late 1990s. With only a few tweaks the articles and
> letters to the editor related to abusive email would be applicable
> today.
> 
> Food for thought.

I honestly think everyone wants the same goals. I respect Mr. Crocker 
mantra for incremental changes.  Thats conservative and necessary.  But 
then you see the conflicts of self-interest reputation service marketing 
campaign that is basically nullifying all logic.

If you have not seen my DSAP IETF I-D (Now expired),

     http://tools.ietf.org/html/draft-santos-dkim-dsap-00

it was based on the simple premise of making sure the DKIM-BASE protocol 
is consistent with the domain's signing or non-signing expectations. It 
was designed to look for the FAULTS in a transaction.

It asked the following questions:

    o  Does the domain ever distribute mail?
    o  Do you expect the mail to be unsigned?
    o  Do you expect to sign all mail?
    o  Is your domain the exclusive signer?
    o  Are 3rd party signers or signatures allowed?
    o  Are 3rd party signers allowed to strip your original signatures?

There fault questions can be answered *without* reputation services in a 
standard general case, wide adoption basis.


-- 
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

More information about the ietf-dkim mailing list