On Wed, Apr 30, 2008 at 7:02 PM, Dave Crocker <dhc(_at_)dcrocker(_dot_)net>
wrote:
While perhaps it closes off some particular names, it does not close off the
class of attack at all.
It is one thing to have a mechanisms that makes it incrementally more
difficult for an attacker to succeed. It is quite another to make it no
harder
at all. If all the attacker has to do is register a new name and use a
string-replacement on their previous attack, we do not have any meaningful
added protections.
Dave, this actually reads as though you suggest we throw out ADSP all
together. I don't see how this limit doesn't apply to ADSP regardless
of tree walking functionality.
>> So the question is what sort of mechanism is going to benefit from
>> locking sub-domains, but not cousin domains? How is the benefit
>> meaningful?
>
> I don't understand the question but I suspect it's a variant of what's
> already been asked and answered. Is there something new here?
Asked, yes. Answered, I don't think so.
Well, I certainly proposed one potential scenario where sub domain
locking would be useful (to me, arguably not to you). Archives suggest
Michael Hammer would prefer sub domain locking, as have Jim Fenton's
comments. Perhaps they could theorize an example or two of where and
how this would be useful to them.
Regards,
Al Iverson
--
Al Iverson on Spam and Deliverability, see http://www.spamresource.com
News, stats, info, and commentary on blacklists: http://www.dnsbl.com
My personal website: http://www.aliverson.com -- Chicago, IL, USA
Remove "lists" from my email address to reach me faster and directly.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html