ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits)

2006-07-07 14:04:29
from [Hector Santos] [Permanent Link] 
----- Original Message -----
From: "Stephen Farrell" <stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie>
To: "ietf-dkim" <ietf-dkim(_at_)mipassoc(_dot_)org>



Otherwise we should get back to the point, which was put best by
Mike I think - should base mention the dns' role as a ttp at all,
and if so how?


Stephen,

I think TTP is a bad acronym. It is more like a trusted storage medium for
exposed domain resource information. The trust is that who ever put it there
directly reflects the domain it is associated with. We can not nor do we
operate under the presumption that the information was "fake" or put there
without the direct knowledge of the domain.

One of the fundamental issues I have the narrow DKIM base only focus is the
lack of protocol automation especially when it comes faults.

With DKIM, it is fundamentally incorrect to compare this, as another person
here did with MX operations.  With MX, we have concrete rules to help the
automation of SMTP.  e.g., the "NO MX RECORD(S), TRY A RECORD ATLEAST ONCE"
rule. This sort of protocol logic is lacking with DKIM.

In my view, it is more about what the verifier expects from the DKIM related
DNS information. There is no reason to believe the data in DNS is not who it
said it came from.  It is more what do you do with the information that is
there or more importantly, and highly neglected, not there or does not match
the expectations of the verifier.

How does the DKIM markings relate with the DNS information?

What if there is no DNS information?

What if there was suppose to be no DKIM consideration?

What if the DNS information does not validate the MESSAGE?

And so on.

In conclusion, maybe the following or something like it may be considered:

 "DNS has a historical implied trust as a trusted distributed
  storage medium to access or obtain domain resource information.
  There is no practical reason to presume the information is
  maliciously faulty unless the domain's security and DNS
  administrative network has been directly violated."

and/or combined or separate:

 "The DKIM related DNS information is EXPECTED to correlate with
  the DKIM signatures in the messages in order to correctly validate
  the message.  When the DNS information does not correlate with the
  validation of the DKIM signed message, this aspect of the BASE
  PROTOCOL is indeterminate (out of scope)."

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com








_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] editorials and nits, Eric Allman
Next by Date:  Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Eliot Lear
Previous by Thread:  Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Stephen Farrell
Next by Thread:  Re: DKIM TTPs (was Re: [ietf-dkim] editorials and nits), Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]