Charles Lindsey: > On Thu, 01 Mar 2007 13:44:21 -0000, Wietse Venema <[EMAIL PROTECTED]> > wrote: > > > On a friendly internet with only cooperating parties, this might > > make sense. But the world has changed. With today's internet it > > would be a fundamental mistake to make more distinctions than: > > > > the signature was verified > > other > > > > If the verifier gives different treatments to different types of > > "other", then the bad guys will exploit the verifier's behavior. > > And how do you stop verifiers doing that?
There is no cure for stupidity, but I can try to educate. > Verifiers will do as they think fit (i.e. what their clients will pay > for), whatever our standards say. If some likely (though deprecated) > verifier behaviour leads to exploits by the Bad Guys, and there is an easy > way to counter the exploit (e.g. by clearer information in the SSP), then > it would be wise to dopt it. > > "Defence in depth" is the term, I believe. SSP is not a cure for exploitable verifiers. "Wrong solution for the wrong problem" is the term, I believe. Wietse _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html