ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Re: Should DKIM drop SSP?

2005-10-27 14:36:25
from [Hector Santos] [Permanent Link] 

----- Original Message -----
From: "Scott Kitterman" <ietf-dkim(_at_)kitterman(_dot_)com>
To: <ietf-dkim(_at_)mipassoc(_dot_)org>
Sent: Thursday, October 27, 2005 4:52 PM
Subject: Re: [ietf-dkim] Re: Should DKIM drop SSP?



Doug,

So is it your view that DKIM roughly at it stands, with SSP and without

your

"Opaque identifier" is fatally flawed and shouldn't go forward?




From what I extract from his mail, the only RELIABLE POLICY is a EXCLUSIVE

policy.  If so, I agree that this is the #1 benefit.

But we knew this from SPF.  SPF #1 protection is with Exclusive (PASS/FAIL)
Policies.  This is all deja-vu and it surprises me to see critics of SPF for
the exact problems it has, don't see the same problem will exist with DKIM
with unchecked relaxed 3rd party signing allowance policies.

With SPF, our statistics consistently show ~60% of the SPF policies are
relaxed.  Of these, ~80% is spoofed as detected by follow up CBV checking.

There is no doubt in my mind DKIM will follow the same path with relaxed
policies especially those that goes unchecked.

The difference?

A major reason for neutral SPF policies was to address the transition point
problem that it was not designed to address. Per specification, migration
planning is the reason to use relaxed policies.  The problem: There is no
expiration on relaxed policies.

DKIM does not have this transition point problem and it offer some level of
relax policy protection with key expiration features.

In addition, with SSP checking, it offers some ways to "extract" the bad
liars exploiting or spoofing relax policies.

So it has some benefits of SPF in this regard.

Protection Spectrum:

 +-----------------------------------------------------+
 |                 DKIM TRUST METER                    |
 |low                                              high| Trust
 ||||||||||||||||||||||||||||||||||||||||||||||||||||||| Meter
 |RRRRRRRRRRRRRRRBBBBBBBBBBYYYYYYYLLLLLLLGGGGGGGGGGGGGG| Color
 |NONE < NEUTRAL < STRONG < WEAK < EXCL < NOMAIL < NONE| SSP
 |~~~~~~~~~~~~~~~---------???????!!!!!!!.........      | SSP Tags
 |          3PS Allowed  |         3PS Not Allowed     | 3rd party
 +-----------------------------------------------------+


--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com





_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Re: Should DKIM drop SSP?, Scott Kitterman
Next by Date:  Re: [ietf-dkim] Re: Should DKIM drop SSP?, Douglas Otis
Previous by Thread:  Re: [ietf-dkim] Re: Should DKIM drop SSP?, Scott Kitterman
Next by Thread:  Re: [ietf-dkim] Re: Should DKIM drop SSP?, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]