ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Scalability concerns with Designated Signing Domains

2006-08-26 08:33:28
from [william(at)elan.net] [Permanent Link] 

I've proposed before that in case of large number of domains SPF-like
macro expansion be allowed in place of actual domain.

On Fri, 25 Aug 2006, Jim Fenton wrote:


[This is the first of a two messages outlining my concerns about SSP
Designated Signing Domains.  I'll break each category of concerns into a
separate thread.]

If Designated Signing Domains become an accepted of delegating authority
to sign messages, I'm concerned about the scaling characteristics of the
list of domains.  I haven't heard anyone say that the list should
consist of only one domain, but I have heard discussion that even
mailing list providers used by a domain might be delegated domains.  But
let's not go there yet.

Let's assume for a minute that SSP is distributed in DNS, which is at
least a likely outcome.  I'm aware of large enterprises with >120
outside entities that send mail on their behalf.  If each of these
entities takes 10 characters, then the list is 1200 characters long --
getting interesting for DNS over UDP, even with EDNS0.  If the
delegation is to subdomains of the delegatees, each the name of each
entity is likely to be longer than that.

We shouldn't be designing something that is this likely to go over a
limit such as this.  Does this mean that we need to have continuation
records to carry the additional entries?  It sounds like the retrieval
of these continuation records would be additive to the time required to
evaluate the message.  Verifiers would also need to be prepared for the
possibility that only portions of SSP are going to be available at a
given time, and maintain state information to keep track of that.

Are there going to be guidelines on what sorts of entities should be
included in the lists and what sorts should not?  For example, should
ietf.org be included if someone in the domain is subscribed to ietf
mailing lists?  Should mipassoc.org be included, even if we didn't know
that Dave is unquestionably reliable?

Delegation of keys, either through publication of a selector that
includes a provider's public key or through delegation of a subdomain to
a provider, does not run into this problem.

-Jim

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-dkim] Re: T-Shirt Entries, Frank Ellermann
Next by Date:  Re: [ietf-dkim] Responsibility concerns with Designated Signing Domains, william(at)elan.net
Previous by Thread:  Re: [ietf-dkim] Scalability concerns with Designated Signing Domains, Hector Santos
Next by Thread:  RE: [ietf-dkim] Scalability concerns with Designated Signing Domains, Arvel Hathcock
Indexes:  [Date] [Thread] [Top] [All Lists]