Exactly! Well said Scott!
--
Arvel
----- Original Message -----
From: "Scott Kitterman" <ietf-dkim(_at_)kitterman(_dot_)com>
To: <ietf-dkim(_at_)mipassoc(_dot_)org>
Sent: Tuesday, August 23, 2005 2:08 PM
Subject: Re: [ietf-dkim] Not exactly not a threat analysis
Ned Freed wrote:
DKIM without SSP is useful, but SSP adds significant value. OTOH, right
now SSP
is nowhere near as well thought out as DKIM is. So, in the interests of
getting
things done, I tend to think the approach of DKIM first, SSP next is
best.
Divide and conquer has often proved to be a useful strategy in the IETF.
The real question is how this affects the threat analysis. I think SSP
needs to
be part of the analysis, but we need to be clear when we're talking about
base
DKIM and when we're talking about SSP. That way we know which benefits
(and
risks) accrue from what.
Makes sense. I just worry that the first thing is the only thing that
ever gets done.
I'd prefer working on both, but not requiring them to finish together.
That way SSP won't require a new start once the base is published, it'll
just be part of the ongoing work.
It appears to me that there are those who do not want SSP for reasons that
aren't clear to me. I'd rather get SSP in scope once and for all and not
have to have the scope arguement again after base is published.
Same starting line for both, not necessarily the same finish line.
_______________________________________________
ietf-dkim mailing list
http://dkim.org