On Sun, 2005-11-20 at 14:49 -0500, Scott Kitterman wrote:
On 11/19/2005 14:50, Douglas Otis wrote:
You agree that SSP does not provide a mechanism to prevent spoofing
without reliance upon visual presentations...
No. I said pretty much the exact opposite of that.
Here is your comment Sat, 19 Nov 2005:
,---
| What you are saying is that just because a message meets an SSP
| requirement is not a safe basis for an MUA marking them somehow good.
| I agree with that, but I think it's outside the scope of what this
| almost working group is supposed to do.
'---
This clarification would seem to require an assumption that _all_
"spoofs" can be eliminated by the strict comparison of the signing-
domain and From addresses. Paradoxically, you also agree marking such
messages good in some manner would be unsafe. I assumed you were
agreeing additional "spoofing" risks not protected by this simplistic
comparison may involve character-set uncertainty, raw puny-code, similar
ASCII characters, or "pretty-name" presentations. If you read the SSP
draft, visual appearance is actually stipulated.
Why would better spoofing protection requiring less effort, such as out-
of-band publishing of authorization, be outside the scope of DKIM?
Why are you denying visual examination is required for the SSP approach?
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org