On Sun, 20 Nov 2005 18:37:06 -0800 Douglas Otis
<dotis(_at_)mail-abuse(_dot_)org>
wrote:
On Sun, 2005-11-20 at 14:49 -0500, Scott Kitterman wrote:
On 11/19/2005 14:50, Douglas Otis wrote:
You agree that SSP does not provide a mechanism to prevent spoofing
without reliance upon visual presentations...
No. I said pretty much the exact opposite of that.
Here is your comment Sat, 19 Nov 2005:
,---
| What you are saying is that just because a message meets an SSP
| requirement is not a safe basis for an MUA marking them somehow good.
| I agree with that, but I think it's outside the scope of what this
| almost working group is supposed to do.
'---
This clarification would seem to require an assumption that _all_
"spoofs" can be eliminated by the strict comparison of the signing-
domain and From addresses. Paradoxically, you also agree marking such
messages good in some manner would be unsafe. I assumed you were
agreeing additional "spoofing" risks not protected by this simplistic
comparison may involve character-set uncertainty, raw puny-code, similar
ASCII characters, or "pretty-name" presentations. If you read the SSP
draft, visual appearance is actually stipulated.
SSP doesn't do what it doesn't do. SSP is not and does not pretend to be
the ultimate solution to phishing. Your concern appears to be with
problems that SSP is not meant to solve. Those aren't threats to SSP, but
threats to the mail system that SSP is not meant to address.
So, I still think your subject line is bogus.
Why would better spoofing protection requiring less effort, such as out-
of-band publishing of authorization, be outside the scope of DKIM?
I'm not aware of such a proposal.
Why are you denying visual examination is required for the SSP approach?
It's the opposite. Visual examination is required to deal with things
outside the scope of SSP.
Scott K
_______________________________________________
ietf-dkim mailing list
http://dkim.org