On Dec 6, 2007, at 9:58 AM, Scott Kitterman wrote:
On Thursday 06 December 2007 12:49, Steve Atkins wrote:
In a well-designed protocol based on DKIM, yes I'd agree that a
validly DKIM signed message should not provoke an SSP query.
But that's not the protocol we have.
I think RFC 5016 shows a lack of understanding of DKIM (or is
choosing
not to consider some important features of DKIM), and is
part of the push to try and build a next generation SPF on
an inappropriate base authentication technology.
I think you aren't understanding the purpose of SSP at all.
If any random signature from any domain obviates the SSP, what
possible use is
SSP?
Bill Oxley observed across threads "When it comes to discussing
SSP I hear a lot of noise with very little reason to implement or use
except in a few specific cases like highly phished sites."
There's a long discussion to be had there, which starts with me
asking "Well, what's your threat model?" and would ideally follow
with "So, given this framework, what is your attack tree, and how
does SSP help thwart it?", but when I've tried to have that discussion
in the past it's not gone anywhere productive
Cheers,
Steve
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html