Murray S. Kucherawy wrote:
http://www.ietf.org/id/draft-kucherawy-dkim-atps-00.txt
Comments welcome.
Murray, I should be completed with implementation of the ATPS project
and released to beta testers by noon today (EST).
Questions:
1) Why the MD5 hashing? Whats the gain here?
I am viewing this as a higher record keeping requirement. You can't
eyeball this and see what domains are authorized. You might want to
comment to add some value such as the domain being hashed here.
2) Why not have multiple results for one DNS query? That is the
approach I am taken with ASL. If the asl= tag becomes to long, I
leave it up to the DNS admin t create another ADSP record and the ASL
aware verifier will merge multiple TXT response headers. That was
explored with DSAP defining different sub-domain policies.
nsLookup or dig the TXT record for:
_dsap.isdg.net
Non-authoritative answer:
_dsap.isdg.net text =
"v=dsap1.0; sd=list; rr=0; op=never; 3p=optional;
3pl=mipassoc.org"
_dsap.isdg.net text =
"v=dsap1.0; sd=*; rr=0; op=optional; 3p=never; a=rsa-sha256;
fa=fail; fx=fail; fs=fail;"
_dsap.isdg.net text =
"v=dsap1.0; sd=corp; rr=0; op=always; 3p=never; a=rsa-sha256;"
_dsap.isdg.net text =
"v=dsap1.0; sd=sales; rr=0; op=always; 3p=never; a=rsa-sha256;"
_dsap.isdg.net text =
"v=dsap1.0; sd=europe.sales; rr=0; op=always; 3p=never;
a=rsa-sha256;"
_dsap.isdg.net text =
"v=dsap1.0; sd=public; rr=0; op=never; 3p=never;"
Using a lookup query of just:
_atps.author-domain
then you return one or more TXT records that are defined, each have
some value representing one or more domains.
Anyway, I don't see the "benefits" of a label being a MD5 hash vs a
literal sub-domain. The latter seems easier and accomplishes the
same thing.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops