At 7:24 AM -0700 5/27/06, Douglas Otis wrote:
On Fri, 2006-05-26 at 18:24 -0700, Paul Hoffman wrote:
At 6:08 PM -0700 5/26/06, Douglas Otis wrote:
>... i=somebody(_at_)some-domain(_dot_)co(_dot_)uk d=co.uk
>
>Currently this is permitted in the base draft which indicates the
>parent domain is authoritative for sub-domains.
This is absurd. Under which scenario would a signer in
some-domain.co.uk possibly put d=co.uk in their signature?
If a bad-actor compromised a system handling the private key half of the
published key at d=co.uk, or got lucky cracking the key with a massive
bot-net or specialized hardware, then they would be able to generate
messages with email-addresses annotated as verified for _all_ of
*.co.uk. Compromising a key high in the hierarchy, per the current
draft, would have a huge pay-off when spoofing messages.
This is in the "movie-plot terrorism" realm.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html