ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]

2006-01-14 12:51:09
from [Stephen Farrell] [Permanent Link] 

Doug,

Since there's no point in just repeating stuff, I won't. But you've
not convinced me about the additional abuse from open policies nor
that closed policies are problematic. I haven't heard anyone else
yelling eureka! either.


A large domain has an advantage that a smaller domain does not.[...]


I don't see how we can design a protocol to level that playing field.
The concern is not about leveling the playing field, but rather not giving the large domain a powerful club with which to beat the heck out of smaller domains. This requires avoiding any reason or excuse for an open policy to be published. 

I don't get your logic there. What is the relationship between domain
size and SSP that gives rise to a (technical) threat? I don't believe
there is one.

[...paradox lost...]
For example, a second level domain "co.jp" publishes the 'o=.' policy. 
> This would mean all sub-domains must then also publish a policy or
> forgo expectations of having their email accepted.

"o=." states that nothing in co.jp sends email (I hate those terse
labels being used in discussion, whatever about in the DNS.) I assume
that some enterprises in co.jp would complain mightily,  i.e. that's
not going to happen.

> A mechanism to indicate the
SSP record does not apply to sub-domains would ensure the search could end, but would then not be applied to the sub-domains. A separate mechanism not part of the 'o=' could be used, such as 'i=y' or 'i=n' for sub-domains inherit policy (yes/[no]). 

Maybe. I could imagine some benefit were SSP to include allow inclusion
of something like a "depth" value which'd say that this policy applies
here and N more levels down. Sort of like the pathLenConstraint in
X.509. But thats for later in any case when we're doing SSP.

> The paradox occurs when co.jp wishes to use email normally.

Nope. That's not a paradox at all.

> When the signing/email domains don't match and "some legitimate
> messages are not signed or are signed by others" policy is discovered,
> how does this relate to what what messages are conformant?

That's up to the verifier and not in scope of threats. We might want
to discuss a bit when its time to do SSP, but absent any demonstrated
threat, its definitely for later I believe.

Stephen.

_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] open-ended threats (was: [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]), Douglas Otis
Next by Date:  [ietf-dkim] Re: some more comments on the threats draft, Jim Fenton
Previous by Thread:  Re: [ietf-dkim] open-ended threats (was: [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]), Douglas Otis
Next by Thread:  Re: [ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt], Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]