[ietf-dkim] New Issue: Applicability of SSP to subdomains

Jim Fenton fenton at cisco.com
Thu Dec 7 20:33:13 PST 2006 

Doug,

I'm really confused by your reply.  The question is simply, "should it 
be possible for an SSP record published by example.com to also apply to 
sub.example.com [for any value of sub]".  I don't see how it relates to 
EAI, annotation, and so forth.

I interpret your response as expressing the position that this should 
not be a requirement.  Let me know if I have that wrong.

-Jim

Douglas Otis wrote:
>
> On Dec 7, 2006, at 2:46 PM, Jim Fenton wrote:
>
>> I'd like to bring up this topic again, which I raised on November 9 
>> and got only a little discussion and didn't make it into the issue 
>> tracker.  The various drafts that have been proposed for SSP differ 
>> substantially in how they address subdomains, and I'd still like to 
>> understand whether this is an SSP requirement or not.
>
> This concern incorrectly assumes protection is afforded as a type of 
> prohibition.  Such a prohibition fails with respect to EAI, as this 
> eliminates reliance upon visual inspection, as well as changing 
> headers viewed by the recipient.
>
> When the protection afforded by DKIM is abased upon an annotation of 
> the "recognized" email-addresses "associated" with a valid signature, 
> then there is _no_ need to have policy be associated with 
> sub-domains.  There is also _no_ need to search for policy either.  
> Without an "associative" mechanism, the message simply does not 
> receive any annotation.  Nothing is blocked, but then nothing gets 
> annotated either.
>
> DKIM requires some form of annotation as the signature is invisible by 
> design.  The "recognition" of the email-address should be based upon 
> actual email-addresses comparisons that have been previously retrained 
> by the recipient.  These retained email-addresses might be in the form 
> of an address-book or a DAC compatible list.
>
> It is hard to imagine chasing 2 million new domains every day.  It 
> does not matter what policy is required, or what hoops bad actors jump 
> through, they will not be limited by these requirements.  Just the 
> opposite.  Nor will reliance upon visual examination offer any 
> protection either.  Just the opposite.  There is a large part of the 
> world that does not even use ASCII email-addresses.  : )
>
> -Doug

More information about the ietf-dkim mailing list