Dave Crocker wrote: > Right. So let's explore what current problems specific functions in SSP > will mitigate. > > Folks who are proponents of particular SSP features should document > specific threats and specific SSP feature(s) that will mitigate them.
I think that'd be useful. Of course, people who aren't proponents can also document specific threats, and I'd be interested in a few examples that aren't included in 4868 or the security considerations of the ssp-01 I-D (if I missed something in a recent posting a reference would be fine). I don't doubt that some such threats exist, but I don't recall seeing anything specific on this so far. > An essential part of such exercise is to explain why the mitigation is > strategic. That is, why will it not be easy for attackers to work > around the SSP mechanism and achieve equivalent attack success. Modulo look-alike domains I guess? (There's text in 4868, 4.2.1 about that btw.) I don't think anything in SSP can mitigate that threat. S. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
