ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] New Issue: Applicability of SSP to subdomains

2006-12-07 15:49:55
I'd like to bring up this topic again, which I raised on November 9 and got only a little discussion and didn't make it into the issue tracker. The various drafts that have been proposed for SSP differ substantially in how they address subdomains, and I'd still like to understand whether this is an SSP requirement or not.

-Jim

Jim Fenton wrote:
In the process of preparing my slides for the recent WG meeting, it occurred to me that there is no requirement in the SSP requirements doc for SSP to apply to subdomains of a given domain.

The issue is this: If an SSP record exists for example.com saying, for example, "I sign everything", it's probably not a good idea if an attacker can avoid that policy by sending mail from (for example) mail.example.com. The recipient is still likely to associate the message with the example.com domain.

This can occur whether or not there actually is a mail.example.com subdomain, or some other sort of record (such as an A record) for mail.example.com.

It's also probably a good idea to require a flag in SSP that indicates whether the policy published there is intended to apply to subdomains. This would be used when the subdomains are under separate administrative control, and there is a desire to avoid having a parent's SSP "bleed through" to subdomains.

This also needs to be done to (sub-)*domains, e.g., q.w.e.r.t.y.example.com.

-Jim

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html