ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] SSP = FAILURE DETECTION

2006-09-12 02:25:26
Thomas A. Fine:
Wietse Venema wrote:
Thomas A. Fine:
Wietse Venema wrote:
Criminals switch strategy, and use look-alike domains to make their
mail look even more authentic than it does today.

If this is how SSP stops phishing mail, we have achieved nothing.

I can NOT stop burglaries, but I still have locks on my doors.  But
SSP is BETTER than a lock:

I you knew my work then you would know better than to picture me
as an "it's not perfect therefore it's worthless" zealot.

DKIM-base can help to give good sites an edge over look-alike
domains (with a trusted signing domain list, possibly maintained
like an ssh trusted fingerprint list).

I see no such advantage with SSP.

With only DKIM-base, and MDA will present unsigned, forged mail from
bigbank.com to the end user, and it will hope that the user notices
BOTH that the message is not signed, AND that bigbank.com has in the
past signed things.  Users, being inherently unreliable, will sometimes
get fooled.

With DKIM/SSP, the MDA will prevent the mail from being delivered to
the user.  Users will never get fooled.

See the advantage now?

What was the advantage of SSP with look-alike domains?

        Wietse
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html