Right. I was rather surprised that this was not in the security and/or
discovery requirements
especially considering how much it drives the discovery process.
Mike
Jim Fenton wrote:
In the process of preparing my slides for the recent WG meeting, it
occurred to me that there is no requirement in the SSP requirements
doc for SSP to apply to subdomains of a given domain.
The issue is this: If an SSP record exists for example.com saying,
for example, "I sign everything", it's probably not a good idea if an
attacker can avoid that policy by sending mail from (for example)
mail.example.com. The recipient is still likely to associate the
message with the example.com domain.
This can occur whether or not there actually is a mail.example.com
subdomain, or some other sort of record (such as an A record) for
mail.example.com.
It's also probably a good idea to require a flag in SSP that indicates
whether the policy published there is intended to apply to
subdomains. This would be used when the subdomains are under separate
administrative control, and there is a desire to avoid having a
parent's SSP "bleed through" to subdomains.
This also needs to be done to (sub-)*domains, e.g.,
q.w.e.r.t.y.example.com.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html