dkim-ops
[Top] [All Lists]

Re: [dkim-ops] DKIM - ATPS Example

2010-09-22 08:09:51
Additional comment for Appendix A.  Example Query and Reply when there 
is no signatures:

   1.  A TXT query is made, per [ADSP], to
        "_adsp._domainkey.example.com" to query for its Author Domain
        Signing Practices.  If no valid reply is returned or the reply
        does not contain an "atps" tag with value "y", the algorithm
        stops with [AUTHRES] result "none".

You can word it, but something like:

        if atps=y exist and there are no signatures, then this is
        DOMAIN POLICY failure.

We should probably be reviewing RFC 5016 to consider what Domain 
Expectations and failure means.  In addition, RFC 5016 speaks of doing 
a POLICY lookup when there are no signatures or invalid signatures 
which RFC 4871 defines as "no signature."

If we are serious about this, you should probably begin getting a IETF 
working group and list area for working out the details and logistics.

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com



Hector Santos wrote:
Murray S. Kucherawy wrote:

http://www.ietf.org/id/draft-kucherawy-dkim-atps-00.txt

Comments welcome.

Murray, I should be completed with implementation of the ATPS project 
and released to beta testers by noon today (EST).

Questions:

1) Why the MD5 hashing?   Whats the gain here?

I am viewing this as a higher record keeping requirement.  You can't 
eyeball this and see what domains are authorized.   You might want to 
comment to add some value such as the domain being hashed here.

2) Why not have multiple results for one DNS query?  That is the 
approach I am taken with ASL.   If the asl= tag becomes to long, I 
leave it up to the DNS admin t create another ADSP record and the ASL 
aware verifier will merge multiple TXT response headers.    That was 
explored with DSAP defining different sub-domain policies.

nsLookup or dig the TXT record for:

       _dsap.isdg.net

Non-authoritative answer:
_dsap.isdg.net  text =

         "v=dsap1.0; sd=list; rr=0; op=never; 3p=optional; 
3pl=mipassoc.org"
_dsap.isdg.net  text =

         "v=dsap1.0; sd=*; rr=0; op=optional; 3p=never; a=rsa-sha256; 
fa=fail; fx=fail; fs=fail;"
_dsap.isdg.net  text =

         "v=dsap1.0; sd=corp; rr=0; op=always; 3p=never; a=rsa-sha256;"
_dsap.isdg.net  text =

         "v=dsap1.0; sd=sales; rr=0; op=always; 3p=never; a=rsa-sha256;"
_dsap.isdg.net  text =

         "v=dsap1.0; sd=europe.sales; rr=0; op=always; 3p=never; 
a=rsa-sha256;"
_dsap.isdg.net  text =

         "v=dsap1.0; sd=public; rr=0; op=never; 3p=never;"

Using a lookup query of just:

    _atps.author-domain

then you return one or more TXT records that are defined, each have 
some value representing one or more domains.

Anyway, I don't see the "benefits" of a label being a MD5 hash vs a 
literal sub-domain.   The latter seems easier and accomplishes the 
same thing.





_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops