[ietf-dkim] Issue #1265: Signing by parent domains
Steve Atkins
steve at blighty.com
Sat May 27 07:38:29 PDT 2006
On May 27, 2006, at 7:24 AM, Douglas Otis wrote:
> On Fri, 2006-05-26 at 18:24 -0700, Paul Hoffman wrote:
>> At 6:08 PM -0700 5/26/06, Douglas Otis wrote:
>>> ... i=somebody at some-domain.co.uk d=co.uk
>>>
>>> Currently this is permitted in the base draft which indicates the
>>> parent domain is authoritative for sub-domains.
>>
>> This is absurd. Under which scenario would a signer in
>> some-domain.co.uk possibly put d=co.uk in their signature?
>
> If a bad-actor compromised a system handling the private key half
> of the
> published key at d=co.uk, or got lucky cracking the key with a massive
> bot-net or specialized hardware, then they would be able to generate
> messages with email-addresses annotated as verified for _all_ of
> *.co.uk. Compromising a key high in the hierarchy, per the current
> draft, would have a huge pay-off when spoofing messages.
Given that no mail is sent from co.uk why would there be such a
key, unless your supposed attacker had already compromised the
co.uk dns infrastructure?
This argument is well beyond absurd.
>
> By not allowing this unconfirmed assertion that the "parent is always
> authoritative for email-addresses within sub-domains" removes any
> special concern that exists with regard to MTA security at some higher
> level. Remove this baseless assertion and then security can be
> strengthened according to the need at the level being verified.
I can see several good arguments against this feature, but they're all
based on complexity, not security.
Could we perhaps move on?
Cheers,
Steve
More information about the ietf-dkim
mailing list