On Sat, 2005-11-19 at 13:31 -0800, Michael Thomas wrote: > Douglas Otis wrote: > > You agree that SSP does not provide a mechanism to prevent spoofing > > without reliance upon visual presentations [...] > > Doug, this is demonstrably false and I wish that you would > just give up on this line of argument -- if you have other good > things to say, they are being drown out by this sort of silliness. > Right now, on mtcc.com, I see reports from my software that shows > the ssp violations. It does not involve my eyeballs under the > control of a sendmail milter.
Are you suggesting character-set attacks (made possible by RFC2047, RFC3492, raw puny-code, similar ASCII characters, or "pretty-name" presentations) are prevented by a policy that requires matching domains? If the recipient _studies_ the domain and knows the character-set being used, then visual examination _may_ thwart this avenue of attack. On the other hand, if the recipient is not sure of the character-set being used, is exposed to raw puny-code or "pretty-name" presentations, then any assurance about preventing spoofing would be illusory. Indications of domain matching only exposes the recipient to a greater risk of being duped. Alternatively, indicating the recognition of a set of identifiers belonging to a prior correspondent would greatly reduce the risks of being duped without the eye-test. A policy comparing domains is like locking the front door of a house, but leaving the back door open and declaring the home secure. Why do you think companies expend resources registering similar domains, often after a litigation process? Some MUAs have even elected not to show headers. The binding recognition strategy could highlight messages of prior correspondents without any header being displayed and still defeat spoofing. As that were not enough, the acquisition of automatic bindings can still provide the same log of messages rejected at the SMTP session in the same manner as an SSP "o=!" domain comparison. With the binding recognition strategy, the SSP approach is not needed, the risks of unfair use of authorizations is eliminated, while also substantially reducing the overhead. -Doug _______________________________________________ ietf-dkim mailing list http://dkim.org
