ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] protecting domains that don't exist

2008-04-15 04:05:12
from [Charles Lindsey] [Permanent Link] 
On Mon, 14 Apr 2008 18:58:19 +0100, <robert(_at_)barclayfamily(_dot_)com> wrote:




To: ietf-dkim(_at_)mipassoc(_dot_)org
Date: Mon, 14 Apr 2008 09:53:28 -0400
From: wietse(_at_)porcupine(_dot_)org
Subject: Re: [ietf-dkim] protecting domains that don't exist

John Levine:

As someone pointed out, you can interchange steps 1 and 2 in the
specification, putting the existence check first.  And then, of  

course, you

can decide that the existence check is done outside ADSP.  If the  

existence

check is removed, I would advocate putting in language that says an  

existence

check SHOULD be performed before doing ADSP.


That seems reasonable.  My objection (and I think also Dave's) is not  

that

it's a bad idea, but that it's not part of DKIM or ADSP.


+1



-1 I disagree. Having the NXDOMAIN check makes thh scoping boundaries of  
ADSP explicit in the discovery algorithm. That is why I advocated making  
it step 1. Anything that fails that test is explicitly outside the scope  
of what ADSP covers. Without this explicit scope boundary the behavios  
of different systems querying this data would become very unpredictable.  
With the scope boundaries as defined by step 2 it is unequivocal that  
any query for something that does not exist cannot be valid within ADSP.


Exactly. It is essential that the check be done, otherwise you don't even  
know whether ADSP is applicable or not.

And if it turns out that ADSP is not applicable, then the reader of the  
standard is entitled to ask "So what am I meant to do now?". To which we  
should at least give a minimal answer such as "This document cannot  
prescribe what action the verifier should take next, but it is not  
precluded that, as a matter of local policy, it might treat it as  
suspicious/discardable/whatever-euphemism-we-have-decided-upon".

And then, in the Security Considerations section you point out the  
opportunities for scammers that may be exploited if the verifier does  
nothing at all in this situation.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] protecting domains that don't exist, Wietse Venema
Next by Date:  Re: [ietf-dkim] protecting domains that don't exist, Charles Lindsey
Previous by Thread:  Re: [ietf-dkim] protecting domains that don't exist, Jim Fenton
Next by Thread:  Re: [ietf-dkim] protecting domains that don't exist, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]