[ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]

[Stephen Farrell]

Doug,

Douglas Otis wrote:
> 
> On Jan 14, 2006, at 11:33 AM, Stephen Farrell wrote:
>>>
>>> The concern is not about leveling the playing field, but rather not 
>>> giving the large domain a powerful club with which to beat the heck 
>>> out of smaller domains.  This requires avoiding any reason or excuse 
>>> for an open policy to be published.
>>
>> I don't get your logic there. What is the relationship between domain 
>> size and SSP that gives rise to a (technical) threat? I don't believe 
>> there is one.
> 
> a) The severity of the threat of being held culpable for an open-end 
> policy reduces as the domain size increases.

Ok. So this is purely subsidiary to your point about open policies
being unfair. I understand now. As I'm not convinced that that point
represents a valid threat I personally don't think that this one
warrants mention either.

>>> When the signing/email domains don't match and "some legitimate  
>>> messages are not signed or are signed by others" policy is 
>>> discovered, how does this relate to what what messages are conformant?
>>
>> That's up to the verifier and not in scope of threats. We might want 
>> to discuss a bit when its time to do SSP, but absent any demonstrated 
>> threat, its definitely for later I believe.
> 
> Contemplating how DKIM may be implemented is beyond consideration?  

(Feel free to be contemplative! I'd imagine that involves less typing:-)

If you have some precise, realistic scenario to propose that's ok. But
I for one won't answer inexact open questions such as the above since
I'm not interested in prolonging this thread - which would be the
inevitable consequence of attempting an answer. No thanks.

I think we're done on this in terms of being productive, so I suggest
we give people a chance to catch up, and Jim a chance to get another
revision out (as he's asked).

Stephen.