ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] end-users vs filtering engines

2008-04-30 17:03:57

Arvel Hathcock wrote:
Is there a sufficiently useful degree of benefit to warrant the 
(considerable) cost of development, deployment, and use?

What is this question in reference to?  The notion of NXDOMAIN lookups or
ADSP in general?

Arvel,

Very sorry for being so cryptic.  While I view the questions as applicable for
any effort, in this case I meant them with respect to any 'protect the
sub-tree' effort. That was why my following comments referred to cousin names.

Is the benefit long-term?


A cousin domain is sufficiently trivial to use so as to make the intended
 protection against use of sub-domains meaningless.

That is just a restatement of the view which asserts that because ADSP 
can't protect domains you don't control you therefore needn't bother 
protecting those you do.

My point is that the effective "protection" is zero.

While perhaps it closes off some particular names, it does not close off the 
class of attack at all.

It is one thing to have a mechanisms that makes it incrementally more 
difficult for an attacker to succeed. It is quite another to make it no harder 
at all.  If all the attacker has to do is register a new name and use a 
string-replacement on their previous attack, we do not have any meaningful 
added protections.


So the question is what sort of mechanism is going to benefit from
locking sub-domains, but not cousin domains?  How is the benefit
meaningful?

I don't understand the question but I suspect it's a variant of what's 
already been asked and answered.  Is there something new here?

Asked, yes.  Answered, I don't think so.

d/


-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html