ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] SSP security relies upon the visual domain appearance

2005-11-18 11:42:59
So if, during the threat analysis, we identify some such
constraints that make life easier/better when combined with
some ssp options then we could consider standardising them,
or did you mean that any such constraints should be just up
to the individual implementer/signer?

The latter.  The point of a threat analysis is to identify threats, not to
speculate about what the response people might want to make to the
threats.

If I were going to speculate about constraints on mail that might make it
less likely to be spoofed, I could come up with a vast list, from
excluding HTML and embedded URLs to insisting that all from and sender
addresses be in the same domain as the signer, to requiring the signing
domain in the HELO and rDNS of the sending host, to forbidding any MTA
relays between the signing and validating hosts, ad infinitum.  It's pure
speculation and not useful since we have no experience at all with SSP
like systems.  Don't do it.

Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet 
for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.
_______________________________________________
ietf-dkim mailing list
http://dkim.org

<Prev in Thread] Current Thread [Next in Thread>