On Monday 10 December 2007 08:36, Wietse Venema wrote:
Scott Kitterman:
On Sunday 09 December 2007 10:07, Wietse Venema wrote:
...
Conclusion
We have a paradox where DKIM-BASE does not promise protection
against phishing attacks, but it's near trivial to use for that
purpose with a local address book; while SSP protection against
phishing can be sidestepped near trivially because it is grounded
in statements by a Sender Domain whose trustworthiness is unproven.
Assuming SSP asserts something positive beyond what DKIM asserts. It
doesn't. It allows a negative to be identified.
It is not in the Bank's interest to say negative things about the
Banks mail.
Likewise, it is not in the Criminal's interest to say negative
things about the Criminal's mail.
SSP alone does not distinguish between mail from a Bank and mail
from a Criminal who pretends to be a bank. That is SSP's dirty
little secret.
This was my final attempt to illustrate this fundamental problem.
I can lead the horse to the water but I can't force it to drink.
Fair enough. Thank you for trying again. I think we are in agreement about
what SSP can't do. It seems to me that the fundamental disagreement is about
whether the relatively small thing is can do is worth doing or not.
What you describe as a "Dirty little secret", I don't think is a secret at
all.
SSP can help receivers identify exact domain use by external entities. For
some classes of domains such use is overhwhelmingly likely to be fradulent
and SSP can give receivers a way to reliably identify unauthorized use and
reject such mail. It's only a very narrow piece of the phishing problem, but
one that I find worth dealing with (even if the end result is just that such
messages don't get sent anymore because they stop working).
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html