Dave Crocker wrote:
Right. So let's explore what current problems specific functions in SSP
will mitigate.
Folks who are proponents of particular SSP features should document
specific threats and specific SSP feature(s) that will mitigate them.
I think that'd be useful.
Of course, people who aren't proponents can also document specific
threats, and I'd be interested in a few examples that aren't included
in 4868 or the security considerations of the ssp-01 I-D (if I missed
something in a recent posting a reference would be fine). I don't
doubt that some such threats exist, but I don't recall seeing anything
specific on this so far.
An essential part of such exercise is to explain why the mitigation is
strategic. That is, why will it not be easy for attackers to work
around the SSP mechanism and achieve equivalent attack success.
Modulo look-alike domains I guess? (There's text in 4868, 4.2.1 about
that btw.) I don't think anything in SSP can mitigate that threat.
S.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html