On Mon, 14 Apr 2008 18:58:19 +0100, <robert(_at_)barclayfamily(_dot_)com> wrote:
To: ietf-dkim(_at_)mipassoc(_dot_)org
Date: Mon, 14 Apr 2008 09:53:28 -0400
From: wietse(_at_)porcupine(_dot_)org
Subject: Re: [ietf-dkim] protecting domains that don't exist
John Levine:
As someone pointed out, you can interchange steps 1 and 2 in the
specification, putting the existence check first. And then, of
course, you
can decide that the existence check is done outside ADSP. If the
existence
check is removed, I would advocate putting in language that says an
existence
check SHOULD be performed before doing ADSP.
That seems reasonable. My objection (and I think also Dave's) is not
that
it's a bad idea, but that it's not part of DKIM or ADSP.
+1
-1 I disagree. Having the NXDOMAIN check makes thh scoping boundaries of
ADSP explicit in the discovery algorithm. That is why I advocated making
it step 1. Anything that fails that test is explicitly outside the scope
of what ADSP covers. Without this explicit scope boundary the behavios
of different systems querying this data would become very unpredictable.
With the scope boundaries as defined by step 2 it is unequivocal that
any query for something that does not exist cannot be valid within ADSP.
Exactly. It is essential that the check be done, otherwise you don't even
know whether ADSP is applicable or not.
And if it turns out that ADSP is not applicable, then the reader of the
standard is entitled to ask "So what am I meant to do now?". To which we
should at least give a minimal answer such as "This document cannot
prescribe what action the verifier should take next, but it is not
precluded that, as a matter of local policy, it might treat it as
suspicious/discardable/whatever-euphemism-we-have-decided-upon".
And then, in the Security Considerations section you point out the
opportunities for scammers that may be exploited if the verifier does
nothing at all in this situation.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html