ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] The limits of DKIM and SSP

2007-12-10 11:10:04
from [Hector Santos] [Permanent Link] 
Dave Crocker wrote:
Fraudulent From domains are a problem, and they certainly occur in massive numbers, but if bad actors can trivially use alternatives that are not equally protected, fixing only the fraudulent From domain issue is of no long-term benefit. 

Yes and No.
Part of investing in solution comes with an expecting there will be high payoff. Thats a given.
In my engineering view, there is a high payoff in eliminating one of the most obvious frauds there is that today we have no real reliable protection against.
More importantly, when done as a group, you begin to do something that was never done before - force the bad guy to change or adapt. Help shift the burden and cost to the bad guy. Do nothing? Like today, the bad guy has no incentive to adapt.
So if adapting to the other "look-alike" domains, then this will narrow the focus of developing augmented solutions that begin to require learning, heuristics and artificial intelligence methods.
But in the mean time, we closed one of the biggest loopholes we have today. We force the bad guys to change - a shift in the cost burden.
As such, anything that SSP attempts needs to be evaluated in terms of long-term benefits and the likelihood that there is a simple work-around available to bad actors.
That has been done Dave. Unfortunately, you have your own filtering process.
And we certainly have not done a threats and work-arounds 
> analysis for SSP.
This is so not true David. What will it take to prove it was already done? What are you looking for?
For each proposed SSP feature, there needs to be a statement describing the thread, the way that the feature will mitigate it and some discussion of possible work-arounds and the ease with which they can be used.
The analysis had already been done. There were a few proposals centered around it and the RFC 5016 Requirements document and SSP-01 draft are reflections of that 2+ year analysis.
That said, I do agree with you there are troubling aspects of it and they were predicted to occur by a few people in the group.
I always felt that sound engineering will engineering prevail. To my surprise, I wonder why it took you so long to bring up a few of these critical points that were clearly highlighted many times here. They are the reasons why had did other I-D proposals written.
Unfortunately, David, with all due respect, you seem to have your own process of dissemination information. I can suggest that you begin reading input from all interested parties and not just a selected few you deem worthy of your attention. This is not an attack on your person, I have a tremendous amount of respect for you, but it is an observation of whats going on here. 

--
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] NEW ISSUE: Limit the application of SSP to unsigned messages, Dave Crocker
Next by Date:  [ietf-dkim] Re: Issue #1527:, Stephen Farrell
Previous by Thread:  Re: [ietf-dkim] Re: Issue #1527:, Hector Santos
Next by Thread:  RE: [ietf-dkim] Discussing what someone said about SSP - productive?, Bill.Oxley
Indexes:  [Date] [Thread] [Top] [All Lists]