On October 12, 2005 at 18:14, Ned Freed wrote:
For example, there seems to be no problem in mentioning DNSSEC as a
technology for dealing with some DNS-based attacks. We should not
prohibit ourselves from doing the same with replay and other forms
of attacks.
I have no problem wit doing so as long as the additional technology is
already defined. My understanding of what you're proposing is to discuss
threats in the context of facilities that haven't been defined yet. I
continue to think this is a mistake.
There are technologies like SPF, SenderID, CSV, SES, BATV, etc which
deal with envelope-based authentication and authorization. Of course,
none of these are standards and how well any of them can aid in the
replay problem must be determined.
Now, if it is determined that a given threat can only be addressed
by a specific technology that is not completely defined, we can
either state that such technology will be needed (w/o trying to define
it) or state that the threat is a known problem.
It seems remiss to mention threats, especially serious ones that can
prohibit DKIM from being viable, without some idea how to address
the threat. I see replay as a serious threat that must be adequately
addressed in order for DKIM to be successful.
--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org