Jim Fenton wrote:
Michael Thomas wrote:
Even if you could, and even if a registrar were boneheaded enough to
shoot
their own foot, how hard could it possibly be for a DKIM verifier to
enumerate
the TLD's and not accept selectors from that set of blacklisted
_domainkey
delegations? Am I missing something?
It's not just the TLDs that are problems here: It could be .co.uk, or
even .sanjose.ca.us (not meaning to pick on any particular registrars;
these are just examples)
Right, but what I'm wondering is how hard this would be to mitigate in real
life. Maybe it would be hard to get _every_ top level delegation cut,
but the
delegation cuts where _real_ damage could be done seems like a pretty
small set. If
I did nothing more than say I won't accept selectors from _domainkey.com,
it would seem to me that in one swell-foop that I'd have cut off the
single most
potentially lucrative attack vector. And so on.
But like I said, this is even assuming that you'd have boneheaded registrars
intent on not only shooting themselves in the foot, but continuing to shoot
themselves in the foot by not killing the bogus domain. That doesn't seem
especially credible to me.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html