[ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]
Stephen Farrell
stephen.farrell at cs.tcd.ie
Sat Jan 14 11:33:42 PST 2006
Doug,
Since there's no point in just repeating stuff, I won't. But you've
not convinced me about the additional abuse from open policies nor
that closed policies are problematic. I haven't heard anyone else
yelling eureka! either.
>>> A large domain has an advantage that a smaller domain does not.[...]
>>
>> I don't see how we can design a protocol to level that playing field.
>
> The concern is not about leveling the playing field, but rather not
> giving the large domain a powerful club with which to beat the heck out
> of smaller domains. This requires avoiding any reason or excuse for an
> open policy to be published.
I don't get your logic there. What is the relationship between domain
size and SSP that gives rise to a (technical) threat? I don't believe
there is one.
[...paradox lost...]
> For example, a second level domain "co.jp" publishes the 'o=.' policy.
> This would mean all sub-domains must then also publish a policy or
> forgo expectations of having their email accepted.
"o=." states that nothing in co.jp sends email (I hate those terse
labels being used in discussion, whatever about in the DNS.) I assume
that some enterprises in co.jp would complain mightily, i.e. that's
not going to happen.
> A mechanism to indicate the
> SSP record does not apply to sub-domains would ensure the search could
> end, but would then not be applied to the sub-domains. A separate
> mechanism not part of the 'o=' could be used, such as 'i=y' or 'i=n' for
> sub-domains inherit policy (yes/[no]).
Maybe. I could imagine some benefit were SSP to include allow inclusion
of something like a "depth" value which'd say that this policy applies
here and N more levels down. Sort of like the pathLenConstraint in
X.509. But thats for later in any case when we're doing SSP.
> The paradox occurs when co.jp wishes to use email normally.
Nope. That's not a paradox at all.
> When the signing/email domains don't match and "some legitimate
> messages are not signed or are signed by others" policy is discovered,
> how does this relate to what what messages are conformant?
That's up to the verifier and not in scope of threats. We might want
to discuss a bit when its time to do SSP, but absent any demonstrated
threat, its definitely for later I believe.
Stephen.
More information about the ietf-dkim
mailing list