On Thursday 17 August 2006 16:50, Dave Crocker wrote:
This mechanism already exists, is notably simpler than the one being
discussed, and does not suffer the security hole that has been noted.
Simply stated:
If the author's domain is to be used for assessment activities, then
have the signature be made with a domain that is directly related to the
author.
As was already discussed in the comments to the requirements draft, not all
DNS providers give their customers the ability to do subdomain level NS
delegation and so while that approach is good for those who can do it, it
leaves out a portion of the potential user base.
There are a number of different areas where bought infrastructure (whether it
be DNS or mail related) may have a significant impact on the deployability of
DKIM. In my opinion, the ability to provide a list of authorized operators
to associate with a 2822.From is about giving flexibility to domain owners
and operators.
For DKIM-base the minimum DNS capability required is the ability to publish
TXT records with an underscore in the name. There are still some large DNS
providers that do not meet this requirement. If we can work out a reasonable
way to publish a list of authorized signing domains (with all the appropriate
cautions - which as I've said before I volunteer to write and keep writing
until the WG agrees it's right) then SSP does not add any additional
deployment requirements for outsourced DNS. If we don't, then we either add
subdomain NS delegation as an infrastructure requirement or key/selector
update management as an operational complexity.
Not everyone runs their own dedicated infrastructure. A scalable protocol
includes (in my opinion anyway) scaling down to small domains too.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html