ietf-dkim
[Top] [All Lists]

Re: Issue 1527 - Threats (was Re: [ietf-dkim] Hostile to DKIM deployment)

2007-12-14 11:23:55

On Dec 14, 2007, at 10:10 AM, Michael Thomas wrote:

Steve Atkins wrote:
On Dec 14, 2007, at 9:32 AM, Stephen Farrell wrote:



Modulo look-alike domains I guess? (There's text in 4868, 4.2.1 about
that btw.) I don't think anything in SSP can mitigate that threat.
In that instance the threat might be "A well informed malicious sender
misleads recipients about who the author of the mail is".
SSPs answer to that would be an ability for some receivers to
identify that an unsigned email with the byte-for-byte identical
email address in the From field should have been signed, so
is a forgery.
The analysis would touch on false positives due to signature
breakage, that byte-for-byte comparison is not adequate to
protect a visible brand, that the email address isn't even displayed
in many MUAs and so on.

 Any sort of analysis needs to keep in mind that although SSP thwarts
 a relatively narrow set of attacks in and of itself, it could well
 be useful in conjunction with various phishing filtering heuristics,
 reputation, and the like which are all outside of the scope of SSP.
 Not taking that into account -- or ruling any such possibilities out
of scope -- is an unfair and impossible barrier for *any* protocol the
 IETF might produce.

Absolutely.

If the value of an SSP feature is only shown when it is combined
with something else, then that something else needs to be considered
when evaluating the efficacy of mitigation provided by the combination.

But in those cases an SSP feature needs to add some value to
the approach to justify it's existence. For example, phishing can
be mitigated using a list of domains that are valid sources of, for
example, financial services data and combining that with SSP
derived data.

Cheers,
  Steve

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>