On Jan 3, 2006, at 11:39 AM, Stephen Farrell wrote:
Douglas Otis wrote:
On Jan 2, 2006, at 11:16 PM, Frank Ellermann wrote:
Douglas Otis wrote:
dangerous open-ended policies as seen with SPF. (Very bad.)
Define "open-ended":
Aaaaargh! Please don't!
This was related to comments suggesting removal of SSP draft from the
charter. What problem is created in providing a definition of
terminology?
Why not read and comment on the threats draft instead? You'll feel
much better, really.
I _did_ respond to the threat draft, but neither reading the threat
draft, nor the lack of response by _anyone_ else to this draft does
not raise a level of comfort. Please note the question raised with
respect to section 3.2.2. "Identity-Related Fraud" has remained
unanswered.
http://mipassoc.org/pipermail/ietf-dkim/2005q4/001571.html
SSP was introduced rather than produced out of open discussions. SSP
goes well beyond establishing the base DKIM draft. The next steps
should be to decide how DKIM can best be applied. SSP presupposes an
email-address authorization scheme is needed, beneficial, and safe to
either assert or display. As there has not been much consideration
given for the secondary effects or the reconsideration of blatant
assumptions, the statements in a threat review seem to have been made
without any desire to defend the justifications used for the SSP
mechanism. At least Frank is willing to discuss these related issues.
There are at least two factors at play that may be hindering this
process. There is almost a rote method for dealing with email abuse
which discerns tell-tale characteristics of abusive messages not
prevented by a block-list. There is also the security community with
an almost a rote method of combining identifiers with polices. When
a hammer is your only tool, everything looks like a nail. The
imagined solution is the application of an anonymous sender's policy
applied to _some_ email-address found within the message. This
overlooks a few serious problems. The anonymous sender can be a bad
actor making their own policy. The good actors will find themselves
constrained by the complexity created by restrictive policies for an
email-addresses that lead to open-ended policies.
The bulk of abuse will be abated through the application of
reputation in various forms. The identifiers used in this process
must be relatively strong to ensure a fair system. The authorization
strategy invites the use of an extremely weak identifier (perhaps
seen as a tell-tale sign). There are no safe assurances possible as
a result of the application of the SSP policy. : (
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org