ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Collection of use cases for SSP requirements

2006-11-09 08:55:14
Wietse Venema wrote:

John Levine:
c) paypal-payments.com publishes that note.  I don't want their mail
  whether they verify or not.

Scott Kitterman:
C is not the problem SSP is meant to solve.
...
SSP can solve or substantially help exact domain forgery.  Some
of us think that's useful, some don't.

It's certainly useful for the bad guys behind paypal-payments.com
etc. After all, their own SSP record says their mail is authentic.

SSP helps the bad buys to create an *illegitimate* sense of security
from a *legitimate* DKIM-base result.

I find that very, very, embarassing.

Only if you're dumb enough to think that SSP or DKIM-base solves the
lookalike domain problem. Beyond that, more information for receivers
is better. If it's unuseful to you, don't use it. Same goes for -base.
Mike

SSP does not help customers to find out if paypal-payments.com is
their paypal bank.  For that, DKIM-base results need to be used in
a more appropriate manner. We had lengthy discussions on that
already here, and they are already archived for eternity.

        Wietse
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>