Doug,
Agreed. This section for email-address authorization could include:
1) Risks associated with the misuse of "open-ended" authorizations.
2) The disruption caused by "closed" authorizations.
3) Possible coercive ratings when not publishing the record.
4) Exploitation of "open-ended" authorization being unfairly attributed
to the mail-address domain owner.
5) Overhead when most records are not present for the email-addresses.
6) Label depth found in abusive email versus legitimate email.
7) Accommodating "closed" policies at the Mediator.
8) Increased overhead checking multiple From addresses. (Defeating 7)
9) Dictionary attacks of local-part authorizations.
10) Unintended DoS for short TTLs with authorizations.
I'd love to see you write that text up that could be used in the
threats draft. I've yet to see it in a usable form.
Here's a challenge: can you do it using only 5 (I-D length:-) lines
each and so that they're all understandable?
If not, then maybe those are the wrong items.
If so, then we might be fairly easily able to determine whether
and how to incorporate them into the threat analysis.
Stephen.
_______________________________________________
ietf-dkim mailing list
http://dkim.org