ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] use cases for wildcard policy assertions

2008-04-10 02:51:32
from [Roland Turner] [Permanent Link] 
On Wed, 2008-04-09 at 12:09 -0400, Siegel, Ellen wrote:
...

bounces(_at_)mipassoc(_dot_)org] On Behalf Of Roland Turner

... 

Setting aside questions of whether consensus has already been reached,
and the painful technical details of trying to deal with hierachies of
names rather exact matches with individual domain name, it strikes me
that any reasonable "outsider" will look at a spec that doesn't allow
him to specify in one step (rather than hopefully-correctly attached

to

every single zone entry now and through all future changes) "Acme

Corp's

email is ALL signed, or it's not ours" and wonder what the spec

authors

were thinking.


I think if we go this route we need to 1) be more clear about what is
and isn't supported, and 2) include some explanation of how a subdomain
that wants a different policy (e.g. "unknown" where the parent domain is
"all", or "discardable" if it doesn't send any mail and the parent has
published a weaker practice record). 

I think part of Dave's point is that doing a good job of (1) may not be
as straightforward as it seems. 


I suspect that he's concerned that, even if it were technically
feasible, it may not be so good an idea as it appears.


Examples for (2) are very important in both directions (creating a
subdomain policy that is a) weaker and b) stronger than that of the
parent domain).


Quite.

I take it that the basic technical constraint is the need to keep the
number of DNS queries to "a few" and, in particular, to establish a
constant bound, rather than, say, permit an adversary to shut down some
DNS infrastructure by sending millions of messages purporting to be from
a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.example.com?

- Roland

-- 
Roland Turner | Product Manager, RealMail | BoxSentry Pte Ltd
3 Phillip Street, #13-03 Commerce Point, Singapore 048693
Mob: +65 96700022 | Skype: roland.turner | Fax. +65 65365463
roland(_dot_)turner(_at_)boxsentry(_dot_)com | www.boxsentry.com

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree, Roland Turner
Next by Date:  Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree, Arvel Hathcock
Previous by Thread:  Re: [ietf-dkim] use cases for wildcard policy assertions, Siegel, Ellen
Next by Thread:  Re: [ietf-dkim] protecting domains that don't exist, John Levine
Indexes:  [Date] [Thread] [Top] [All Lists]