ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Tracing SSP's paradigm change

2007-12-06 13:05:35
from [Hector Santos] [Permanent Link] 
Steve Atkins wrote:
Steve, were you not involved in the lengthy threat analysis discussions and production of RFC 4686? 

The vast majority of that discusses threats against DKIM
in particular, primarily a rehash of the normal attacks
against PKI and DNS.

What I'm talking about is "the general threat that SSP is
intended to counter", which is a completely different,
and mostly unrelated thing (though I suspect that part
of the attack tree would involve the issues discussed
there). I've not seen that discussed in any clear, let
alone formal, manner, I don't think.


Well, I hate to be accuse of being respectful, but I disagree.
There has been at least 2+ years of long discussions on nearly every security aspect, every one regarding SSP, including its relationship with DKIM.
Every item was discussed, debated and argued. I even wrote a IETF I-D called DSAP that addressed nearly everything we are talking about here with a primary focus on the security threats. I wrote detailed outlines and provided boundary charts that provided the possible scenarios and events based on the possible results for DKIM plus SSP. There was an appreciation by many people for these analysis charts.
If one chooses to ignore people, deemed it not formal, not worthy or not qualified your input, or maybe you just finally recognizing it, fair enough. But it is really unfair suggest to everyone it never happen, nor the time and energy wasn't put in. 

Since the very first SSP draft, the top concerns

   - Redundant SSP lookups
        - including when it is applied.
   - What does "Exclusive" mean?
   - Types of policies
   - 3rd party signatures - how to control it
They were discussed, over and over and over again many times. Unfortunately, it appears, although with the compromises made by both camps, the finer points still haven't been resolved. 

The other significant conflictive problem:

    - Reputation vs SSP
The out of scope concept continues to rears its head. Some people felt there was an undermining going with SSP, that it would never work, but lets see where it goes. But it was like reputation was the ultimate way to do it, hence no need to use SSP was the basic philosophy you felt in the air. 

--
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Issue #1513, (was: Re: [ietf-dkim] Draft summary of SSP functionality), Stephen Farrell
Next by Date:  Re: [ietf-dkim] Tracing SSP's paradigm change, Steve Atkins
Previous by Thread:  Re: [ietf-dkim] Tracing SSP's paradigm change, Steve Atkins
Next by Thread:  threat modeling & use cases (was RE: [ietf-dkim] Tracing SSP's paradigm change, J D Falk
Indexes:  [Date] [Thread] [Top] [All Lists]