On Oct 25, 2005, at 1:47 AM, Stephen Farrell wrote:
http://www.sonic.net/~dougotis/id/draft-otis-dkim-threats-01.html
http://www.sonic.net/~dougotis/id/draft-otis-dkim-threats-01.txt
I find it confusing and not entirely helpful that we now
have two partially overlapping threat analyses. Can you
try to excise the overlap so that your document only
contains the delta? I (and I'm sure others) won't be able
to properly consider your concerns if I can't see where
the differences lie.
Just to be clear though - our current charter specifies
that we work on *one* threats document and that the starting
point there is Jim's document.
Of course there should only be one document. I found it easier to
sweep through what stood out as desired changes by editing Jim's
excellent document. I was troubled by how the threat review did not
treat the SSP mechanism separately. As it is now, extracting the
SSP mechanism will create a number of changes to this review. I also
have concerns that the SSP mechanism may only be appropriate for a
few special cases where these domain's policies should also be easier
to obtain than allowed with the SSP mechanism.
DKIM can provide significant benefit without any policies being
published, but instead by simply including binding information within
the message and using an opportunistic strategy. There is not going
to be a flag day.
So far, I have only managed to provide the comparison documents.
Explaining problems with SSP will take longer than the time I have
today. Saying it in fewer words is a challenge I am not well suited
to handle. : )
Here is a link to a series of pdf files that provides a section by
section breakdown of the changes.
http://www.sonic.net/~dougotis/dkim/
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org