dhc(_at_)dcrocker(_dot_)net wrote:
MH Michael Hammer (5304) wrote:
2) I'm surprised that Dave hasn't commented regarding A.3 and the use of
the phrase "forgeries". I'm still ameniable if we can collectively come
up with a better term for the practice involved.
OK. Looks like the +1/-1 postings on the basic ASP/SSP changes has
stabilized. So maybe it's ok to comment on specifics.
And since this is one specifically queried:
The use of the word 'forgery' in both ASP and the latest SSP drafts do
intend to refer to unauthorized uses of the domain. I think the wording
of the paragraphs might be better -- the drafts use almost the same
language -- but at least the intent matches the semantics of the word.
Whether any of this will have any effect on any meaningful amount of
'forging' is an entirely separate matter and one that I think we have
thrashed to death. I don't see any benefit in thrashing it past death...
Dave,
Is it fair to conclude that you no longer feel it is necessary to do a
Security Threat Analysis?
Unfortunately, I know you are not going to respond, so I want to put in
the archive records that it was made aware of the new security issues
introduced in ASP that did not exist in any of the previous I-D SSP
policy drafts the past two plus years.
These new vulnerabilities in ASP will put DKIM-BASE signers are risk
with domain reputation harm, put receivers are risk with higher overhead
issues, and put users in harm with higher degree of mail deception.
Overall, because of these new issues, I believe DKIM-BASE will have a
greater barrier of adoption because of ASP.
--
Sincerely
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html