----- Original Message ----- From: "Scott Kitterman" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Thursday, October 27, 2005 4:52 PM Subject: Re: [ietf-dkim] Re: Should DKIM drop SSP?
> Doug, > > So is it your view that DKIM roughly at it stands, with SSP and without your > "Opaque identifier" is fatally flawed and shouldn't go forward? > >From what I extract from his mail, the only RELIABLE POLICY is a EXCLUSIVE policy. If so, I agree that this is the #1 benefit. But we knew this from SPF. SPF #1 protection is with Exclusive (PASS/FAIL) Policies. This is all deja-vu and it surprises me to see critics of SPF for the exact problems it has, don't see the same problem will exist with DKIM with unchecked relaxed 3rd party signing allowance policies. With SPF, our statistics consistently show ~60% of the SPF policies are relaxed. Of these, ~80% is spoofed as detected by follow up CBV checking. There is no doubt in my mind DKIM will follow the same path with relaxed policies especially those that goes unchecked. The difference? A major reason for neutral SPF policies was to address the transition point problem that it was not designed to address. Per specification, migration planning is the reason to use relaxed policies. The problem: There is no expiration on relaxed policies. DKIM does not have this transition point problem and it offer some level of relax policy protection with key expiration features. In addition, with SSP checking, it offers some ways to "extract" the bad liars exploiting or spoofing relax policies. So it has some benefits of SPF in this regard. Protection Spectrum: +-----------------------------------------------------+ | DKIM TRUST METER | |low high| Trust ||||||||||||||||||||||||||||||||||||||||||||||||||||||| Meter |RRRRRRRRRRRRRRRBBBBBBBBBBYYYYYYYLLLLLLLGGGGGGGGGGGGGG| Color |NONE < NEUTRAL < STRONG < WEAK < EXCL < NOMAIL < NONE| SSP |~~~~~~~~~~~~~~~---------???????!!!!!!!......... | SSP Tags | 3PS Allowed | 3PS Not Allowed | 3rd party +-----------------------------------------------------+ -- Hector Santos, Santronics Software, Inc. http://www.santronics.com _______________________________________________ ietf-dkim mailing list http://dkim.org
