On Feb 20, 2006, at 4:25 PM, Hallam-Baker, Phillip wrote:
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Mark Delany
Presumably a malicious TLD operator can also change what name
servers answer for your domain in which case they can
completely assume your identity as far as DKIM is concerned.
While this ability is implicit in the DNS delegation mechanism I think
that what Mark was proposing here was that we consider this as an
issue.
I didn't read that, but ok. I'm not really sure any more time should
be spent worrying about this than than should be spent worrying
about a change in the speed of light. Both are part of the nature of
the system in which this must work.
I can't see a perfect way out of this problem because one of the
things
that people want to do here is to allow domains further down the
tree to
be able to assert strong control over their subdomains. So mit.edu can
insist that lcs.mit.edu sign its messages.
Instead of worrying about what a potentially evil TLD operator might
do, of which this working group has little control, perhaps it would
be worth the time looking at what a responsible TLD operator would
want to do, such as pointing out that if you got to the point of
looking at a TLD for anything than something is not right.
-andy
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html