[ietf-dkim] draft-dkim-pcon

Use of wildcards for locating policy records is reminiscent of  
concepts applied to the then (barely used) TXT resource records, but  
now it is the (barely used) PTR resource record.  Wildcards have  
limitations necessitating inordinate replication at every instance of  
an existing name.  A common policy record used with many applications  
also seems unlikely to fit within a 512 byte DNS message constraint,  
and imposing a linking script is highly reckless from a security  
standpoint.  It seems a new policy service is really needed, rather  
than new DNS policy resource records or new methods for handling  
wildcards.  What existing server would be suitable?  LDAPv3 (RFC3377)  
referenced from the email-address domain SRV record?
DKIM provides a valuable service without attempting to accommodate  
per-user policies via DNS.  The down-grade attack affecting S/MIME et  
al, can be avoided by incorporating a version "deprecation" ('d')  
flag.  Lists of trusted signing domains replace a need to separately  
discover a less meaningful domain policy records.  Bad actors are  
just as capable at publishing policy records.  A trusted list avoids  
look-alike domain attacks and excessive traffic hunting for  
sporadically published records.  Trusted list also offer a safe basis  
for annotating messages.  It seems that mechanisms for accessing  
trusted lists (an element or extension of the address book) within  
applications protocols such as IMAP would be more productive  
extending the value of the DKIM signature.
-Doug

 
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html