Dave Crocker wrote:
Dave Crocker wrote:
Modify ADSP Domain Existence procedure.
Use draft-levine-dkim-adsp-00, Section 4.3. ADSP Lookup Procedure as input
to
discussions.
Per the Levine draft, this also entails addition of:
<section anchor="applicability" title="ADSP Applicability">
<t> ADSP as defined in this document is bound to DNS. For this
reason,
ADSP is applicable only to Author Domains with appropriate DNS
records (see Note below). The handling of other Author Domains is
outside the scope of this document. However, attackers may use such
domain names in a deliberate attempt to sidestep an organization's
ADSP policy statements. It is up to the ADSP verifier
implementation
to return an appropriate error result for Author Domains outside
the
scope of ADSP. <list style="hanging">
<t hangText="Note: "> The results from DNS queries that are
intended to validate a domain name unavoidably approximate
the set of Author Domains that can appear in legitimate email.
For example, a DNS A record could belong to a device that does
not even have an email implementation. It is up to the verifier
to decide what degree of approximation is acceptable.</t>
to the Section 3. Operation Overview.
At least part of this (what attackers might do) reads like a Security
Consideration, and perhaps belongs there instead.
I'd like to suggest that we use a different word than "approximate" in
the above discussion and in the Levine draft. "Approximate" may give
the impression that the error may be in either direction, i.e., that
there may be some legitimate email domains may be considered out of
scope for ADSP. How about something like "overestimate" instead? (Note
that I'm not considering a hostname like wjvax.UUCP to be a legitimate
mail domain any more).
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html