-----Original Message-----
From: Hector Santos [mailto:hsantos(_at_)isdg(_dot_)net]
Sent: Wednesday, September 22, 2010 5:19 AM
To: Murray S. Kucherawy
Cc: dkim-ops(_at_)mipassoc(_dot_)org
Subject: DKIM - ATPS
Murray, I should be completed with implementation of the ATPS project
and released to beta testers by noon today (EST).
Excellent! Did you find it easy to code?
Questions:
1) Why the MD5 hashing? Whats the gain here?
I am viewing this as a higher record keeping requirement. You can't
eyeball this and see what domains are authorized. You might want to
comment to add some value such as the domain being hashed here.
You named one of the advantages. If I can find out what domains you authorize,
I know what domains I have to try to spoof. MD5 doesn't exactly hide names
from being guessed, of course, but at least it's not out in the open.
To see a disadvantage of the cleartext form, consider that the record would
then be stored at <3pdomain>._atps.<sender-domain>. Since such a name has a
maximum size of 256 bytes, the length of the two domains has to add to 249.
That means the longer <sender-domain> is, the more constrained you are with
respect to which third parties you can authorize. That doesn't seem a fair
system. A digest offers uniform compression and MD5 is the cheapest of the
popular hashes, making ATPS equally usable by everyone.
A disadvantage of the hashed form is that wildcarding can't be used to allow a
<3pdomain> and any subdomain of it to be authorized. It's not clear to me
though that this would be common.
2) Why not have multiple results for one DNS query? That is the
approach I am taken with ASL. If the asl= tag becomes to long, I
leave it up to the DNS admin t create another ADSP record and the ASL
aware verifier will merge multiple TXT response headers. That was
explored with DSAP defining different sub-domain policies.
This shortens specific records, but doesn't shorten the overall answer. If
multiple TXT records are found, they are all packed into the same single DNS
reply. This actually consumes more space than a single large TXT record does.
If TCP upgrade of the DNS query is not possible, truncation can occur and some
of the replies can get dropped, so you could only get a (basically random)
subset of your ASL, leading to false negatives.
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops