On October 12, 2005 at 18:14, Ned Freed wrote: > > For example, there seems to be no problem in mentioning DNSSEC as a > > technology for dealing with some DNS-based attacks. We should not > > prohibit ourselves from doing the same with replay and other forms > > of attacks. > > I have no problem wit doing so as long as the additional technology is > already defined. My understanding of what you're proposing is to discuss > threats in the context of facilities that haven't been defined yet. I > continue to think this is a mistake.
There are technologies like SPF, SenderID, CSV, SES, BATV, etc which deal with envelope-based authentication and authorization. Of course, none of these are standards and how well any of them can aid in the replay problem must be determined. Now, if it is determined that a given threat can only be addressed by a specific technology that is not completely defined, we can either state that such technology will be needed (w/o trying to define it) or state that the threat is a known problem. It seems remiss to mention threats, especially serious ones that can prohibit DKIM from being viable, without some idea how to address the threat. I see replay as a serious threat that must be adequately addressed in order for DKIM to be successful. --ewh _______________________________________________ ietf-dkim mailing list http://dkim.org
