Ned Freed wrote:
> Now, if at some point in the future, after this group is done and has "walked
> into absence", it makes sense to reuse some or alll of DKIM to provide some of
> these other services in lieu of using S/MIME, PGP or whatever, that's fine.
> Incremental development is A Good Thing. But we need to focus on a problem
> that's just large enough to provide sufficient utility for deployment but not
> so large it causes confusion and hesitation. Finding this balance isn't easy,
> but I think the current proposals are very close.
Which current proposal do you find very close, the one with or the one
without SSP or are you saying that's true of either one?
DKIM without SSP is useful, but SSP adds significant value. OTOH, right now SSP
is nowhere near as well thought out as DKIM is. So, in the interests of getting
things done, I tend to think the approach of DKIM first, SSP next is best.
Divide and conquer has often proved to be a useful strategy in the IETF.
The real question is how this affects the threat analysis. I think SSP needs to
be part of the analysis, but we need to be clear when we're talking about base
DKIM and when we're talking about SSP. That way we know which benefits (and
risks) accrue from what.
Ned
_______________________________________________
ietf-dkim mailing list
http://dkim.org