dotis at mail-abuse.org
Mon Jun 16 08:42:25 PDT 2008
On Jun 16, 2008, at 1:13 AM, Murray S. Kucherawy wrote:
> On Thu, 12 Jun 2008, ietf-dkim-request at mipassoc.org wrote:
>> Adding to this, Murray Kucherawy's draft captures the i= (identity)
>> parameter and a worthless s= (selector) parameter. The s=
>> parameter offers little value since the d= (key domain) parameter
>> is missing. Only the d= parameter (upon which the s= parameter
>> rests) represents a domain validated by a verified signature.
> It's not worthless to an implementor or administrator interested in
> figuring out why his/her mail isn't verifying properly.
And to resolve such issues, knowing which Key Domain is being used is
still important, but nonetheless ignored. If fact, the key domain is
likely needed to resolve issues for organizations that use sub-domains!
> Any developer would love to have as much of the original data as
> possible to reconstruct the failure scenario.
Your strategy appears to ignore the _least_ easily changed identifier
validated by a DKIM signature. Controlling resource costs for
collecting and distributing defensive information _requires_ stable
identifiers. Without some level of identity stability, any defensive
strategy will _explode_ due to enviable abuse. No database scheme can
scale to accommodate virtual identifiers that only exist within a
> Not everything in this working group is about crypto and security.
> We implementors do sometimes think about other things.
While such a scheme might be seen as Sender friendly if adopted, this
would doom DKIM. Selectors devoid of the publishing domain offers no
value. To suggest otherwise would be in support of a false premise.
More information about the ietf-dkim