ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Re: How SSP will assist DKIM-BASE

2007-12-14 13:00:45
from [Hector Santos] [Permanent Link] 
Frank Ellermann wrote:

Hector Santos wrote:


There are only five possible outcomes for DKIM-BASE:  none, pass,
fail and 1st party and 3rd party versions of pass and fail.


I'm not aware of any FAIL in DKIM, or rather it's by definition
the same as NONE, isn't it ?
That's correct. See the entire message. I broke it up so you can see the difference. 


That would simplify your table to three rows.  You could add
the "process" vs. "deny" business resulting in more columns (?)
If you fold them, then you a complex situation where you can't repudiate a DKIM-BASE policy. 

For example, for strict or all policy

  Scenario #1  Mail is really really NOT signed.
  Scenario #2  Mail is signed by invalid
In scenario #1, you have a 100% zero false positive of non-repudiation. It is a condition that everyone agrees is invalid. No one can repudiate this.
In scenario #2, if you fold this into a NONE signature, then you do not have a zero false positive situation because the reality was "altered" from the fact there was an real attempt at a signature process - but some reason it failed. The only way to deal with this deterministically is with handling=process or handling=deny.
So in effect, there is a "conflict" with handling= and the DKIM-BASE inherent policy of promoting dead signatures to NONE. 


Talking about "0% false positive" in conjunction with the "1st
author" approach is utter dubious, but I guess I mentioned this
already in the last years ;-)
I think if you keep "reputation" out of this, then you can better see it. This analysis applies to blind to the good or bad. We all must play on the same field first. 


I hope this analysis shows that there is no reputation here.


You could use reputation to decide what "+1" actually means,
e.g. "spammer managed to get SSP right", or to decide if you
wish to evaluate SSP at all.  Or you could decide to ignore
DKIM if there's no chance to get a "-1", IIRC you wanted to
use SSP always *before* checking DKIM, or did you drop that ?
Its a protocol consistency modeling analysis. You have to establish your boundary conditions before you can even try to simulate real world behavior. It is DKIM-BASE that defines the conditions and rules of the game. SSP is just the "referee" :-) 

--
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-dkim] Re: How SSP will assist DKIM-BASE, Frank Ellermann
Next by Date:  Re: Issue 1527 - Threats (was Re: [ietf-dkim] Hostile to DKIM deployment), John Levine
Previous by Thread:  [ietf-dkim] Re: How SSP will assist DKIM-BASE, Frank Ellermann
Next by Thread:  RE: [ietf-dkim] How SSP will assist DKIM-BASE, Bill.Oxley
Indexes:  [Date] [Thread] [Top] [All Lists]