Hallam-Baker, Phillip wrote:
Stephen has almost captured my issues here.
My point here is that since NOMAIL is not a MUST requirement we do not require
the same level of design for deployment as for a feature that is a core
requirement. In particular it is acceptable for us to specify a scheme which
requires deployment of new DNS infrastructure for NOMAIL, this seems obvious to
me as there are existing schemes which address this requirement.
I do want to solve NOMAIL, in fact I think that it is essential that we do so
to close all possible avenues of attack, including the unsigned mail from
nonexistent domain attack. However I am quite happy for expression of NOMAIL to
require deployment of an XPTR capable DNS server.
I am proposing a scheme here which allows for a transition to a principled infrastructure in which NOMAIL like DKIM is supported as a first class entity.
All I don't want to do is to discuss the details of NOMAIL implementation at
this point. If we get the structure right they take about half an hour.
It's an interesting tact to claim that you can solve the subdomain
attack by saying that the top level of a domain can be set to "I sign
everything" and all subdomains set to "No mail". However, they aren't
semantically equivalent and they most assuredly do not meet the actual
requirement that all subnodes be covered. I suggest we stop mudding the
waters here as it's not helpful.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html