[dkim-ops] DKIM - ATPS
Murray S. Kucherawy
msk at cloudmark.com
Wed Sep 22 10:42:30 PDT 2010
> -----Original Message-----
> From: Hector Santos [mailto:hsantos at isdg.net]
> Sent: Wednesday, September 22, 2010 5:19 AM
> To: Murray S. Kucherawy
> Cc: dkim-ops at mipassoc.org
> Subject: DKIM - ATPS
> Murray, I should be completed with implementation of the ATPS project
> and released to beta testers by noon today (EST).
Excellent! Did you find it easy to code?
> 1) Why the MD5 hashing? Whats the gain here?
> I am viewing this as a higher record keeping requirement. You can't
> eyeball this and see what domains are authorized. You might want to
> comment to add some value such as the domain being hashed here.
You named one of the advantages. If I can find out what domains you authorize, I know what domains I have to try to spoof. MD5 doesn't exactly hide names from being guessed, of course, but at least it's not out in the open.
To see a disadvantage of the cleartext form, consider that the record would then be stored at <3pdomain>._atps.<sender-domain>. Since such a name has a maximum size of 256 bytes, the length of the two domains has to add to 249. That means the longer <sender-domain> is, the more constrained you are with respect to which third parties you can authorize. That doesn't seem a fair system. A digest offers uniform compression and MD5 is the cheapest of the popular hashes, making ATPS equally usable by everyone.
A disadvantage of the hashed form is that wildcarding can't be used to allow a <3pdomain> and any subdomain of it to be authorized. It's not clear to me though that this would be common.
> 2) Why not have multiple results for one DNS query? That is the
> approach I am taken with ASL. If the asl= tag becomes to long, I
> leave it up to the DNS admin t create another ADSP record and the ASL
> aware verifier will merge multiple TXT response headers. That was
> explored with DSAP defining different sub-domain policies.
This shortens specific records, but doesn't shorten the overall answer. If multiple TXT records are found, they are all packed into the same single DNS reply. This actually consumes more space than a single large TXT record does. If TCP upgrade of the DNS query is not possible, truncation can occur and some of the replies can get dropped, so you could only get a (basically random) subset of your ASL, leading to false negatives.
More information about the dkim-ops