effective response at affected levels. If a TLD used DKIM with 768
bit keys for example, that might be adequate when this domain's
messages are seldom targeted. On the other hand, <big-
financial>.<tld> may need to react to a highly targeted attack
employing greater resources, perhaps necessitating 1024 bit keys or
greater.
This is a contract issue, not a technical issue.
There is a significant reduction in security in this
regard when parent signing is permitted.
That's simply untrue. A malicious or incompetent parent can make
arbitrary changes to any of its delegated domains. If you consider a
parent domain to be untrustworthy, its subdomains have no security
whatsoever regardless of any rules we might try to invent.
So as I said, parent signatures are quite useful and have no
disadvantages.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"More Wiener schnitzel, please", said Tom, revealingly.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html