On Sun, 2005-11-20 at 14:49 -0500, Scott Kitterman wrote: > On 11/19/2005 14:50, Douglas Otis wrote: > > > You agree that SSP does not provide a mechanism to prevent spoofing > > without reliance upon visual presentations... > > No. I said pretty much the exact opposite of that.
Here is your comment Sat, 19 Nov 2005: ,--- | What you are saying is that just because a message meets an SSP | requirement is not a safe basis for an MUA marking them somehow good. | I agree with that, but I think it's outside the scope of what this | almost working group is supposed to do. '--- This clarification would seem to require an assumption that _all_ "spoofs" can be eliminated by the strict comparison of the signing- domain and From addresses. Paradoxically, you also agree marking such messages good in some manner would be unsafe. I assumed you were agreeing additional "spoofing" risks not protected by this simplistic comparison may involve character-set uncertainty, raw puny-code, similar ASCII characters, or "pretty-name" presentations. If you read the SSP draft, visual appearance is actually stipulated. Why would better spoofing protection requiring less effort, such as out- of-band publishing of authorization, be outside the scope of DKIM? Why are you denying visual examination is required for the SSP approach? -Doug _______________________________________________ ietf-dkim mailing list http://dkim.org
