ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] New Issue: Introduction lacks the introduction of SSP

2006-01-24 07:58:44

Hi Hector,

Hector Santos wrote:
----- Original Message -----
From: "Stephen Farrell" <stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie>

I'm not entirely clear what you don't like there, but
rather than explain it might be easier if you could
offer a better wording?

See below.

Thanks. I'll let others react to your specific suggested
text.


We even have a TOC index for Reputation but not SSP.
Go figure.

Well, that's not quite accurate. 3.2.3 is called reputation
attacks and (is one paragraph that) discusses attacks
against the reputation of someone. While that may be
confusing, it has no implication at all that a reputation
system is, or is not, a reasonable counter measure .....

Here is what 3.2.3 says:

| 3.2.3.  Reputation Attacks
|
|    ..... It is for this reason that reputation systems
|    must be based on an identity that is, in practice, fairly
|    reliable.

The way this sounds to me, the section provides operational guidelines
(functional specifications) for a Reputation System.

I'm not so sure. I read it as saying that without DKIM any
reputation system has a big hole - and that's all I read it
as saying.

.... and it certainly says nothing about SSP.

Exactly. Why not? When in fact, SSP can most definitely address the "joe
job" issue?  The section could say.

  SSP may play a role to address this reputation attack threat.

I guess that'd be a fair sentence to add: if the domain has a
closed policy, then the recipient is less likely to "believe"
an unsigned message, in which case, SSP is I guess, helping.
Again let's see what others think.

More generally, there probably are more instances of the word
"reputation" than I noticed/recalled. But I think that in each
case the text is basically a hint that there may be something
else to be done using reputation systems, rather than a
statement that the DKIM wg will be working in that space. So, I'm
less concerned than you (clearly) but I can understand your
concern that we're giving a wrong impression overall.

It might be best if you tackle each of these as separate issues
though (suggesting better text in each case) - otherwise its quite
likely that Jim's edits might not make you happy next time 'round.
(There're only 12 occurrences of the string in the document, so
its not that much work since some of 'em are clustered.)  I'd say
its also possible that not everyone will agree with you that SSP
is the answer for all of those instances, but we'll see I guess.

Cheers,
Stephen.

_______________________________________________
ietf-dkim mailing list
http://dkim.org