Tuesday, December 04, 2007
Is DKIM safe without a strong policy framework? Part 2
Last year, I touched based with the DKIM securities issues and it major lack of tieing in policy considerations (SSP):
Is DKIM safe without a strong policy framework?
Since last year, the SSP spec has evolved to something that is surreal in terms of its functional specifications. It is overly complex and quite frankly, I don't think even a PHD can understand its purpose.
Today, believe it not, it is still being rehashed, same debates, same arguments, same people on one side of the SSP (CONS) and same people on the other side of SSP (PROS). It is like nothing was accomplished. And just like it existed on day 1, the same problems with DKIM sans SSP, exist today. Its only coming up again now because it will be on the table at the next IETF meeting.
When I wrote the alternative SSP protocol called DSAP, it was specifically written to address all the key security issues.
After discussions with the author of SSP and the IETF-DKIM chairs, I agree to support SSP if it covered all the basic security issues. The author did add the consideration's (although in extremely complex ways), so I opted to abandon any follow ups to my far simply, more concise DSAP I-D proposal.
Today, I am seriously considering of revisiting the DSAP proposal. If the IETF and the IETF-DKIM can't get SSP ratisfied (even with its complexities), I might just throw in this monkey wrench and see how it flies.