dkim-ops
[Top] [All Lists]

[dkim-ops] DKIM - ATPS

2010-09-22 07:21:44
Murray S. Kucherawy wrote:

http://www.ietf.org/id/draft-kucherawy-dkim-atps-00.txt

Comments welcome.

Murray, I should be completed with implementation of the ATPS project 
and released to beta testers by noon today (EST).

Questions:

1) Why the MD5 hashing?   Whats the gain here?

I am viewing this as a higher record keeping requirement.  You can't 
eyeball this and see what domains are authorized.   You might want to 
comment to add some value such as the domain being hashed here.

2) Why not have multiple results for one DNS query?  That is the 
approach I am taken with ASL.   If the asl= tag becomes to long, I 
leave it up to the DNS admin t create another ADSP record and the ASL 
aware verifier will merge multiple TXT response headers.    That was 
explored with DSAP defining different sub-domain policies.

nsLookup or dig the TXT record for:

       _dsap.isdg.net

Non-authoritative answer:
_dsap.isdg.net  text =

         "v=dsap1.0; sd=list; rr=0; op=never; 3p=optional; 
3pl=mipassoc.org"
_dsap.isdg.net  text =

         "v=dsap1.0; sd=*; rr=0; op=optional; 3p=never; a=rsa-sha256; 
fa=fail; fx=fail; fs=fail;"
_dsap.isdg.net  text =

         "v=dsap1.0; sd=corp; rr=0; op=always; 3p=never; a=rsa-sha256;"
_dsap.isdg.net  text =

         "v=dsap1.0; sd=sales; rr=0; op=always; 3p=never; a=rsa-sha256;"
_dsap.isdg.net  text =

         "v=dsap1.0; sd=europe.sales; rr=0; op=always; 3p=never; 
a=rsa-sha256;"
_dsap.isdg.net  text =

         "v=dsap1.0; sd=public; rr=0; op=never; 3p=never;"

Using a lookup query of just:

    _atps.author-domain

then you return one or more TXT records that are defined, each have 
some value representing one or more domains.

Anyway, I don't see the "benefits" of a label being a MD5 hash vs a 
literal sub-domain.   The latter seems easier and accomplishes the 
same thing.

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com


_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops