On Friday 18 August 2006 13:49, Michael Thomas wrote:
Scott Kitterman wrote:
On Thursday 17 August 2006 16:50, Dave Crocker wrote:
This mechanism already exists, is notably simpler than the one being
discussed, and does not suffer the security hole that has been noted.
Simply stated:
If the author's domain is to be used for assessment activities, then
have the signature be made with a domain that is directly related to the
author.
As was already discussed in the comments to the requirements draft, not
all DNS providers give their customers the ability to do subdomain level
NS delegation and so while that approach is good for those who can do it,
it leaves out a portion of the potential user base.
Let's be very clear here: not every DNS provider has the ability to do TXT
records either. Those small businesses, etc, should either pressure
their providers
or vote with their feet.
Agreed, but in the interests of deployability, we ought to keep the barriers
to deployment as low as we reasonably can. I already keep a list of name
registrars and DNS providers that support TXT to make it easier for people to
vote with their feet. Let's not end up with someone having to do the same
for subdomain NS delegation:
http://www.kitterman.com/spf/txt.html
I think that an explicit list of 'authorized' signers is reasonably doable
with reasonable risk, but obviously opinions differ.
At this point, IIRC, it's a provisional requirement in the requirements draft.
Given the concerns I think it's reasonable to leave it at provisional. Let's
leave it that way in the requirements phase and see what we can work out when
we do the actual design work. If it isn't practical or if the consensus is
that it's to risky, we can, and should, drop it then.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html