On Jun 9, 2007, at 4:57 AM, John Levine wrote:
Would it help the discussion if large deployers of DKIM expressed
their opinions on nomail? (Again, they could express their
opinions and this item could still be held for later.)
If nomail is indeed the most useful SSP-ish assertion, which I
agree it is, it might make sense for people who care about it to go
work on moving MX . (or some other pure nomail approach) along the
standards track rather than getting entangled in SSP.
For any DKIM SSP to be useful at assisting recipients understand
whether an email is valid, SSP MUST be able to indicate whether the
domain or a sub-domain MUST BE SIGNED.
Discovering the policy record containing the MUST BE SIGNED assertion
is as difficult as discovering a sub-domain USED/UNUSED assertion.
From a DKIM standpoint, a fair amount of DKIM related overhead can
be mitigated by also offering a means to determine whether a sub-
domain is USED, in addition to whether a sub-domain MUST BE SIGNED.
Due to DKIM's added overhead, an assertion of USED/UNUSED represents
a significant aspect of defending the signature validation process.
The discovery process itself might provide a solution. For a message
to contain a valid email-address, the domain of this address MUST
locate either an MX or A record. The DKIM WG could strongly
recommend A record discovery be deprecated, and that only MX records
be used for discovery. Within a few years, it should be possible to
obsolete use of A record discovery. An email-address would not be
valid without an MX record. This would mean that policy placement
adjacent to the MX record would be the only location any policy
record would need to exist. In this case, the discovery process
itself indicates whether or not the sub-domain is USED/UNUSED.
If this "proof of use" approach is not used with DKIM, then flooding
a zone with some type of policy record is the alternative. When
"proof of use" is not utilized by the DKIM process, then stipulations
via policy represents the only other reasonable alternative. In
which case, an assertion of USE must be included simply due to the
overhead related to either the policy publishing or the discovery
process. In which case, it would be completely _unreasonable_ to
neglect including within hundreds or thousands of policy assertions,
whether the domain is being used or not.
One killer problem of putting nomail into SSP is that if
example.com publishes a nomail SSP, and sends signed mail, there is
no agreement at all here on which one you believe.
This really depends upon overhead required for either process. When
DKIM does not depend upon "proof of use", then "proof of policy"
should truncate DKIM processing that might otherwise occur. A
reliable means to discover whether a sub-domain is USED impacts DKIM
to any significant degree.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html