ietf-822
[Top] [All Lists]

Re: [ietf-822] WSJ/gmail/ML, was a permission to...

2014-05-05 11:11:05
On 5/4/2014 3:32 PM, Michael Richardson wrote:

Uhm, there is a limit on how big a TXT record can be.
As far as I can see, I have to list all the mailing lists into asl=

If it fits your "Small scale" needs, ok. But the complete solution is with both ASL and/or the ATPS proposal.

ASL is a "smaller scale" solution using a "asl=" tag list of domains fitting as much as you can into a 512 byte TXT record without forcing a UDP->TCP fallback query switch.

For larger scale need, the ATPS method is to have one TXT record per authorized 3rd party signer domain. Is that OK? Can that be improved?

This would be the suggested DMARC compliant receiver's Check Signing Practice (CSP) procedure for DMARC with the extended ASL, ATPS support:

1) Obtain the 5322.From header AUTHOR-DOMAIN and perform a
   DNS TXT query for "_dmarc.AUTHOR-DOMAIN" to obtain a
   policy record.

   If no DMARC record is found (NXDOMAIN),
      return result DMARC=NONE

2) Obtain the 5322.DKIM-Signature header SIGNER-DOMAIN and
   compare with the AUTHOR-DOMAIN.

   If the two domains are the same,
      return DMARC=PASS (authorized 1st party signer).

   otherwise continue with third party authorization checking.

3) If the DMARC record "asl=" tag is present, check the
   SIGNER-DOMAIN within the "asl=" list of domains.

   If SIGNER-DOMAIN is found in the "asl=" list,
      return DMARC=PASS (authorized 3rd party signer).

4) If an atps=y tag is present, perform the steps as outlined
   in ATPS (RFC6541) which is to lookup the TXT record existence
   for:

      base32(sha1(SIGNER-DOMAIN))._atps.AUTHOR-DOMAIN

   If the TXT record exist,
      return DMARC=PASS (authorized 3rd party signer)

6) return DMARC=FAIL (unauthorized signer).


--
HLS


_______________________________________________
ietf-822 mailing list
ietf-822(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-822

<Prev in Thread] Current Thread [Next in Thread>