The file can be viewed at:
http://datatracker.ietf.org/doc/draft-otis-dkim-tpa-label/
A comparison of the changes between version 4 to 5 is at:
http://www.sonic.net/~dougotis/dkim/draft-otis-dkim-tpa-label-04-to-05.html
Many of the changes corrected grammatical errors, dumb mistakes, some
overly complex sentences.
The only headers the authorization might require, beyond the From header
of course, is List-ID and Sender. Since a major motivation for using
ADSP is as a defense against phishing, the PRA header was not included.
The use of PRA as a basis for acceptance will not mitigate spoofing of
the From header, since domains change too rapidly.
This version:
- Compares simple name concatenation with the use of TPA-Labels.
- Includes a description for 'H' and 'M' scopes compliance checks. (This
is intended to offer an interim solution for third-party services not
yet using DKIM.)
- Adds an expectation for MX records for ADSP subdomains.
For those wanting except-mlist, a bare "tpa-sig" offers that mode,
without ignoring authentication and authorization in the process.
Depending upon the use of authentication becomes easier when general
purpose TPA lists are made available. A "dkim=all tpa-sig" defines a
clear state for when messages are to be refused.
While ADSP might not be suitable for every From domain, it can be
suitable for most DKIM signing domains.
This draft hopes to provide an alternative to a bad practice of using
subdomains with reduced protections when dealing with thrid-domain
services. For domains already being phished, such a practice will
simply lead to there being more victims.
Thanks for the feedback. If I missed acknowledging anyone, send me a
note privately.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html