----- Original Message -----
From: "Wietse Venema" <wietse(_at_)porcupine(_dot_)org>
To: <ietf-dkim(_at_)mipassoc(_dot_)org>
Sent: Tuesday, September 12, 2006 12:22 PM
Subject: Re: [ietf-dkim] SSP = FAILURE DETECTION
What was the advantage of SSP with look-alike domains?
To find large unproductive ratholes? Neither DKIM or SSP claim
to have any direct effect on look-alike domain names, and
there's nothing in our
DKIM_BASE allows a recipient to distinguish mail from the bank from
look-alike mail that pretends to be from the bank. That information
comes in the form of the signing domain.
SSP has an advantage when we assume that criminals are stupid enough
to keep sending forged mail. It has no advantage with look-alike
attacks. Guess what criminals will do.
hmmmmmmmmm, unless I didn't follow you right, I fail to see the distinction
or your point.
Scenario #1 - No Phishing in 2822.From, Phishing in signing domain. NO SSP
defined.
From: accounts(_at_)paypal(_dot_)com
To: Bob(_at_)sillyuser(_dot_)com
Subject: Your Account Info
DKIM-Signature: d=paypa1.com; s=sept06; <-- valid 3PS
Here, the 3PS is valid using a look-alike domain (character one is used
instead of el). The x822.From is really paypal.com and no SSP is defined.
The result in a NO SSP enviroment is a VALID message with the awful
possibility some stupid Presentatation software will say:
* Good Signature from accounts(_at_)paypal(_dot_)com signed by
paypa1.com
Scenario #2 - Phishing in 2822.From, Phishing in signing domain.
From: accounts(_at_)paypa1(_dot_)com
To: Bob(_at_)sillyuser(_dot_)com
Subject: Your Account Info
DKIM-Signature: d=paypa1.com; s=sept06; <-- valid 3PS
Here, the 3PS is valid using a look-alike domain (character one is used
instead of el). The x822.From is also phished. The bad guy can have NO SSP
or a SSP with an designated allow list for paypa1.com
So I don't see the how it matters.
But I will say that if PAYPAL.COM (the real domain) used SSP in scenario #1,
then at the very least, the real domain is protected against a phished
signing domain when using SSP. So to me, SSP still has the advantage over a
DKIM-BASE only environment.
SSP can protect against a PHISHED DKIM-BASE SIGNATURE. A slight
distinction over a phished 2822.From domain. In short, the bad guy would
have to phish both domains - the authors and the signing domain.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html