ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] draft-allman-dkim-{base,ssp}-01.txt

2005-10-25 01:56:13

Doug,

Douglas Otis wrote:

Eric,

I have updated and published a version of the threat review that considers an alternative to the SSP mechanism.

The html and txt versions of this draft are now available at:
http://www.sonic.net/~dougotis/id/draft-otis-dkim-threats-01.html
http://www.sonic.net/~dougotis/id/draft-otis-dkim-threats-01.txt

I find it confusing and not entirely helpful that we now
have two partially overlapping threat analyses. Can you
try to excise the overlap so that your document only
contains the delta? I (and I'm sure others) won't be able
to properly consider your concerns if I can't see where
the differences lie.

Just to be clear though - our current charter specifies
that we work on *one* threats document and that the starting
point there is Jim's document.

The current SSP policy for DKIM offers two seemingly poor choices:

1) Allow "third-party" signatures where messages survive list- servers, e-invites, news articles, photo kiosks, greeting cards, and other numerous services that should adopt message signing.

2) Not allow "third-party" signatures as the only means to repudiate invalid uses of an email-address.

While I would also have some concerns about how ssp handles 3rd
parties I really don't understand what you're trying to say above.

Can you rephrase it in terms that a security person who's not an
email expert can understand? (And the fewer words the better:-)

Thanks,
Stephen.

_______________________________________________
ietf-dkim mailing list
http://dkim.org