[ietf-dkim] Delegating responsibility: a make vs. buy design
ietf-dkim at kitterman.com
Fri Aug 18 11:04:39 PDT 2006
On Friday 18 August 2006 13:49, Michael Thomas wrote:
> Scott Kitterman wrote:
> >On Thursday 17 August 2006 16:50, Dave Crocker wrote:
> >>This mechanism already exists, is notably simpler than the one being
> >>discussed, and does not suffer the security hole that has been noted.
> >>Simply stated:
> >> If the author's domain is to be used for assessment activities, then
> >>have the signature be made with a domain that is directly related to the
> >As was already discussed in the comments to the requirements draft, not
> > all DNS providers give their customers the ability to do subdomain level
> > NS delegation and so while that approach is good for those who can do it,
> > it leaves out a portion of the potential user base.
> Let's be very clear here: not every DNS provider has the ability to do TXT
> records either. Those small businesses, etc, should either pressure
> their providers
> or vote with their feet.
Agreed, but in the interests of deployability, we ought to keep the barriers
to deployment as low as we reasonably can. I already keep a list of name
registrars and DNS providers that support TXT to make it easier for people to
vote with their feet. Let's not end up with someone having to do the same
for subdomain NS delegation:
I think that an explicit list of 'authorized' signers is reasonably doable
with reasonable risk, but obviously opinions differ.
At this point, IIRC, it's a provisional requirement in the requirements draft.
Given the concerns I think it's reasonable to leave it at provisional. Let's
leave it that way in the requirements phase and see what we can work out when
we do the actual design work. If it isn't practical or if the consensus is
that it's to risky, we can, and should, drop it then.
More information about the ietf-dkim