Additional comment for Appendix A. Example Query and Reply when there
is no signatures:
1. A TXT query is made, per [ADSP], to
"_adsp._domainkey.example.com" to query for its Author Domain
Signing Practices. If no valid reply is returned or the reply
does not contain an "atps" tag with value "y", the algorithm
stops with [AUTHRES] result "none".
You can word it, but something like:
if atps=y exist and there are no signatures, then this is
DOMAIN POLICY failure.
We should probably be reviewing RFC 5016 to consider what Domain
Expectations and failure means. In addition, RFC 5016 speaks of doing
a POLICY lookup when there are no signatures or invalid signatures
which RFC 4871 defines as "no signature."
If we are serious about this, you should probably begin getting a IETF
working group and list area for working out the details and logistics.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
Hector Santos wrote:
Murray S. Kucherawy wrote:
http://www.ietf.org/id/draft-kucherawy-dkim-atps-00.txt
Comments welcome.
Murray, I should be completed with implementation of the ATPS project
and released to beta testers by noon today (EST).
Questions:
1) Why the MD5 hashing? Whats the gain here?
I am viewing this as a higher record keeping requirement. You can't
eyeball this and see what domains are authorized. You might want to
comment to add some value such as the domain being hashed here.
2) Why not have multiple results for one DNS query? That is the
approach I am taken with ASL. If the asl= tag becomes to long, I
leave it up to the DNS admin t create another ADSP record and the ASL
aware verifier will merge multiple TXT response headers. That was
explored with DSAP defining different sub-domain policies.
nsLookup or dig the TXT record for:
_dsap.isdg.net
Non-authoritative answer:
_dsap.isdg.net text =
"v=dsap1.0; sd=list; rr=0; op=never; 3p=optional;
3pl=mipassoc.org"
_dsap.isdg.net text =
"v=dsap1.0; sd=*; rr=0; op=optional; 3p=never; a=rsa-sha256;
fa=fail; fx=fail; fs=fail;"
_dsap.isdg.net text =
"v=dsap1.0; sd=corp; rr=0; op=always; 3p=never; a=rsa-sha256;"
_dsap.isdg.net text =
"v=dsap1.0; sd=sales; rr=0; op=always; 3p=never; a=rsa-sha256;"
_dsap.isdg.net text =
"v=dsap1.0; sd=europe.sales; rr=0; op=always; 3p=never;
a=rsa-sha256;"
_dsap.isdg.net text =
"v=dsap1.0; sd=public; rr=0; op=never; 3p=never;"
Using a lookup query of just:
_atps.author-domain
then you return one or more TXT records that are defined, each have
some value representing one or more domains.
Anyway, I don't see the "benefits" of a label being a MD5 hash vs a
literal sub-domain. The latter seems easier and accomplishes the
same thing.
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops