ietf-dkim
[Top] [All Lists]

Re: Issue 1527 - Threats (was Re: [ietf-dkim] Hostile to DKIM deployment)

2007-12-14 10:52:30


Stephen Farrell wrote:
An essential part of such exercise is to explain why the mitigation is
strategic.  That is, why will it not be easy for attackers to work
around the SSP mechanism and achieve equivalent attack success.

Modulo look-alike domains I guess? (There's text in 4868, 4.2.1 about
that btw.) I don't think anything in SSP can mitigate that threat.


What do you mean "modulo"?

Note that "explaining why the mitigation is strategic" requires more than citing a threat.


In any event...

While you have just expressed your own opinion about SSP's ability to mitigate this attack - and fwiw I agree - I am not sure that there is a clear consensus about this among working group participants.

In the context of ensuring a broad base of shared understanding and agreement, neither your view nor mine about the particulars matters very much. Getting group consensus on the details is what matters and that begins by stating the details.

Hence the desire to document threats and mitigations for particular SSP functions explicitly.


d/
--

  Dave Crocker
  Brandenburg InternetWorking
  bbiw.net
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>