On Dec 6, 2007, at 10:30 AM, Hector Santos wrote:
Steve Atkins wrote:
Bill Oxley observed across threads "When it comes to discussing
SSP I hear a lot of noise with very little reason to implement or use
except in a few specific cases like highly phished sites."
There's a long discussion to be had there, which starts with me
asking "Well, what's your threat model?" and would ideally follow
with "So, given this framework, what is your attack tree, and how
does SSP help thwart it?", but when I've tried to have that
discussion
in the past it's not gone anywhere productive
Steve, were you not involved in the lengthy threat analysis
discussions and production of RFC 4686?
The vast majority of that discusses threats against DKIM
in particular, primarily a rehash of the normal attacks
against PKI and DNS.
What I'm talking about is "the general threat that SSP is
intended to counter", which is a completely different,
and mostly unrelated thing (though I suspect that part
of the attack tree would involve the issues discussed
there). I've not seen that discussed in any clear, let
alone formal, manner, I don't think.
Cheers,
Steve
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html