ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Domain ignore list in sec 6.1.1 ?

2007-02-17 00:55:24
You didn't miss anything; this was an addition in the -10 version of the draft. It was inserted in response to a Discuss concern expressed by Cullen Jennings in IESG review.

The concern we were addressing was that the ability for a TLD (or similar entity, such as .co.uk) to have keys published would give the power for a key to be very widely valid. Consequently, if some sort of DNS or similar compromise were found that would make such a key appear, it would have a widespread impact. Providing a way for the verifier to not accept keys published by TLDs and the like blunts the value of that attack.

In the example you gave, the existence of keys that are valid for the entire TLD should make other domains in that TLD nervous. The g= tag only constrains the local-part of the address; there is no way to restrict a key published in a TLD to a particular domain or domains. The ability to sign for a subdomain applies to all subdomains, and is intended for use only when the subdomains are under common administration.

-Jim

John Levine wrote:
I never noticed until now the text in 6.1.1 saying that an
implementation can keep a list of domains that are "not valid signing
entities".  I'm not suggesting we change it, but what was the idea of
this paragraph?

If Verisign were to offer signing keys for mail from .com registrants
(no doubt at extra cost) and published some keys at
blah._domainkey.com, why would those signatures be any worse than
anyone else's?

Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet for 
Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"More Wiener schnitzel, please", said Tom, revealingly.


_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>