ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Hostile to DKIM deployment

2007-12-13 11:20:44
Wietse Venema wrote:
Jim Fenton:
(1) It changes SSP from being a protocol that governs the error
condition of an optional protocol to being a protocol that governs
 *every* email received by *every* MTA.
Application of SSP to only messages containing broken signatures has
*never* been proposed in any SSP draft.  To do so would create an
incentive not to deploy DKIM:  there would be the fear that
application of a DKIM signature might hinder delivery of messages,
because of the potential for breakage that would not exist for
unsigned messages.

An excellent reason to treat "no signature" as "bad signature"
and vice versa.

And in theory, this is acceptable.

But there is still a sub-set of hard cold facts that still allow for detection of 0% false positive fraud of unauthorized usage.

The irony in all this is that those who don't want SSP to a play role because it promotes policy driven controls, are intentionally blind to the idea that DKIM-BASE is inherently based on subjective policy driven controls. From my standpoint, I view some of these unverified DKIM-BASE inherent policies as security threats. There is no dispute that this DKIM-BASE inherent policies exist and presents an security concern. To ignore it will be irresponsible.

I don't think SSP is hostile to the DKIM deployment, but helps its deployment because it will at least provide some avenue of protection for domains and receivers who don't wish to get into 3rd Party Trust Service dependencies where there is no standard definition and absolutely no guarantee of consistent results.

So no, SSP is not hostile to DKIM deployment. However, I will note that is hostile toward those who are betting their hopes on 3rd party trust concepts.

--
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html