Stephen Farrell wrote:
An essential part of such exercise is to explain why the mitigation is
strategic. That is, why will it not be easy for attackers to work
around the SSP mechanism and achieve equivalent attack success.
Modulo look-alike domains I guess? (There's text in 4868, 4.2.1 about
that btw.) I don't think anything in SSP can mitigate that threat.
What do you mean "modulo"?
Note that "explaining why the mitigation is strategic" requires more than
citing a threat.
In any event...
While you have just expressed your own opinion about SSP's ability to mitigate
this attack - and fwiw I agree - I am not sure that there is a clear consensus
about this among working group participants.
In the context of ensuring a broad base of shared understanding and agreement,
neither your view nor mine about the particulars matters very much. Getting
group consensus on the details is what matters and that begins by stating the
details.
Hence the desire to document threats and mitigations for particular SSP
functions explicitly.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html