Dave, I'm not understanding how the algorithm can work if you omit
step 2 from section 4.2.2.
Suppose that example.com wants to assert to the world that it signs
all messages. It will create an ADSP record for example.com with the
appropriate assertion. Without step 2, all an attacker has to do is
to craft a message purported to be from
"attacker(_at_)some(_dot_)thing(_dot_)example(_dot_)com" (where "thing" is not
a valid label
in the example.com domain). Step 1 fails, because of course there is
no _adsp._domainkey.some.thing.example.com (i.e., it returns
NXDOMAIN), so the algorithm falls through to the next step, which is
now step 3. Step 3 searches for _adsp._domainkey.thing.example.com,
which also returns NXDOMAIN, so "the algorithm terminates with a
result indicating that no ASP record was present" --- and the absence
of an ADSP record means that unsigned mail must be deemed legitimate.
Without step 2 there is nothing example.com can do to protect its
name space.
If that's what you mean when you say "that presumes the goal of
protecting an entire sub-tree" then I'm all for protecting the entire
sub-tree. Anything less looks to me like it severely weakens the
entire point of ADSP.
eric
--On April 7, 2008 2:32:25 PM -0700 Dave Crocker <dhc(_at_)dcrocker(_dot_)net>
wrote:
robert(_at_)barclayfamily(_dot_)com wrote:
Like others I am guessing that you are referring to section 4.2.2
step 2.
Yup.
Since the domain doesn't exist the administrator can't have
been expected to create a policy for it so error seems like the
right answer to me.
That presumes the goal of protecting an entire sub-tree.
Absent that goal, the goal is to cover domains that have ADSP
records. Very different scope of effort.
Otherwise to create policies for all of my domains I would have to
create policies not just for all existing sub-domains of that
domain (which I personally would support) but all conceivable
sub-domains of a domain (which I don't think I would).
Again, creating records for every conceivable name -- and no, I
can't imagine any reasonable administrator attempting that -- is
only an issue if there is a belief that ADSP can 'protect' all
names in a sub-tree.
d/
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html