Murray S. Kucherawy wrote:
As I remember it, there was (or appeared to be) consensus to get ADSP
out there for testing by the entities it might work for, AND
simultaneously work on something for the 3rd party scenarios.
What ever happened to that work? I know there were a couple of drafts,
and Murray added support for one to OpenDKIM...if the 3rd party stuff
is really that important, why isn't anyone using it?
Indeed, I asked this question at a couple of industry trade groups I attend,
MAAWG being one of them. The answer I generally get is that the key
delegation already supported by DKIM works just fine, so why do we need some
other mechanism that hits the DNS yet again and employs some complex policy
expression language?
There has been no uptake at all in OpenDKIM for ATPS, and almost none is
apparent with ADSP, although in the latter case our data can only give a
range for adoption because we don't query when an author signature passes. I
could tighten that down by running five figures worth of TXT queries if we
really feel the need to be more accurate.
I don't know of any public implementations of the other schemes.
Because of my continued skepticism to "flip the DKIM switch" on our
general customer base, our wcDKIM add-on implementation has been
isolated to selected testers and for those customers who had requested
supported.
ADSP and the extensions ATPS v1 and ACL are supported out of the box
and all testers and customers using it have ATPS records with ACL and
ATPS extensions enabled, and its works. It works VERY well to to
declare more than one authorized signer.
A Web-based Wizard was completed to help with the generation of the
ADSP records, and it comes with a SIMULATOR:
http://www.winserver.com/public/wcadsp
For my own records, I included mipassoc.org as an authorized signer of
my list membership.
Do an ADSP look up for ISDG.NET and you see the atps and acl tags:
nslookup -query=txt _adsp._domainkey.isdg.net
"dkim=all; atps=y;
asl=santronics.com,isdg.net,
winserver.com,megabytecoffee.com,
mapurdy.com.au,mipassoc.org,gmail.com,googlegroups.com;"
and if you use the wizard for ISDG.NET using mipassoc.org as an
authorized signer, to generate the ATPS record, you will see that
exposure in DNS.
nslookup -query=txt N3LSEHML2WGBFXOV7HSAK2QZSUBSEFHB._atps.isdg.net
"v=atps01; d=mipassoc.org;"
So the implementation is there and again it works really great. Here
is the Authentication-Results header for my isdg.net submissions to
the IETF-DKIM list when our receiver gets a list mipassoc.org signed copy:
Authentication-Results: dkim.winserver.com;
dkim=pass header.i=mipassoc.org header.d=mipassoc.org header.s=k00001;
adsp=pass policy=all author.d=isdg.net asl.d=mipassoc.org;
And if OPENKIM was checking and recording it, it SHOULD produce the
same result.
Once we officially release our new update, while I still on the fence
to expose our customers to negative domain DKIM branding for a
non-existent TRUST Database world, odds are good I will let the beast
go.
But I can change my mind as I still have no confidence DKIM by itself
is good for our general customer base who will follow our lead, what
we do as a good thing. So its not just about ADSP, DKIM itself has a
serious deployment dilemma with little to no payoff and a high risk of
unsolicited 3rd party signers weighting down domain branding.
However, it is ADSP whether its an illusion or not, that currently
provides marketing reasons to answer the question how DKIM signing can
help. I can't just say "Batteries are required" to find an
independent Trust Assessment Service. The last time we did that with
an implementing of a new technology, serious PR problems developed
when an intermediary 3rd party broker exited its new business model
venture.
Overall, this is all about promotion. What you promote in this Product
R&D endeavor. Don't promote ADSP, it doesn't go anywhere as fast as
one may wish. Yet, there has been long time evidence by many
companies who stated they were waiting the Proposed standard to be
finished. These are companies who are sending sensitive vendor/user
messages and they are not signed by DKIM. It makes you wonder why
not, ask them privately outside this WG and you may be surprise.
When you see the reputation push, when you have no leading champion
supporting it, advocating not to use it, of course, you are not going
to get wider acceptance. Its as simple at that.
At this moment, you are the DKIM technology market leader. It is up to
you as a PRODUCT R&D engineer if you want to see ADSP used, tested and
explored among your OPENDKIM customer base.
--
Hector Santos, CTO
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html