ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Collection of use cases for SSP requirements

2006-11-09 10:50:49
Steve Atkins wrote:


On Nov 8, 2006, at 8:10 AM, Scott Kitterman wrote:

On Wed, 8 Nov 2006 07:55:15 -0800 Steve Atkins <steve(_at_)blighty(_dot_)com> wrote:


On Nov 8, 2006, at 4:24 AM, Charles Lindsey wrote:


I think some site like a Bank, that is heavily phished, might go so
far as to declare
   "I sign all mail. Please delete/reject/drop/whatever (perhaps
even silently)
    all messages that fail to verify".

That site would have to be pretty confident that the genuine mail
it sent out was 100% clean, but it might well decide that it was a
lesser risk to have some genuine messages dropped than to let
phishes go through.

BTW, are there any plams to have keywords for some of the various
policies that might be declared, so that verifiers (or rather their
policy modules) could recognize them and adjust their policy
accordingly)?


I do have to point out that SSP will not affect phish emails noticeably,
after a very short transition period.

So if a bank were to do this it would mean 1) phishing mails won't
be affected and 2) legitimate mail from the bank is likely to be
affected.

So... what's the _real_ use case, again?


Please explain. If a sender publishes a policy that says I sign all mail and a receiver rejects, deletes, etc. all mail that isn't signed by that
sender, what is the phisher's transition path to work around it?

I agree that this does not help with look-alike domains, but for phishing
that uses a sender's domain, I'm noy sure what you are getting at?


You point out the underlying issue nicely.

Phishing doesn't have to use the real domain. There are *countless*
ways of phishing that don't require it. Even now, a lot of phish mails
don't bother using the real domain, even though there's no real
disincentive to do so in most cases. If there were even a minor
disincentive then they could move away from that today with
minimal inconvenience.

This assumes that social problems have to be solved only in the
technical realm in order to be useful. I'm sure that John will snort his
coffee through his nose, but training users to only expect to hear from
paypal from paypal.com is most likely part of the solution. SSP can help on
this front, and at least gives some incentive for the marketdroids to stop
confusing the issue of legitimacy with self-inflicted wounds of using
look-alike domain names themselves.

Is this a whole solution? Of course not. We already know that no such
silver bullet exists. Can or should we lessen the degrees of freedom in
which bad guys can act? Sure seems like a reasonable idea to me. The
only real question in my mind is whether this particular piece of technology
is really worth the effort in the short/medium and long run. I think that
reasonable people can have reasonable differences of opinion on that.
For the dissenters, so long as there's not active harm what's the problem?
Don't use it if you think it's useless.

      Mike
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>