--- Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
Why not add an optional opaque identifier?
This would be an option that could be employed when "replay" abuse is
found damaging a domain's reputation.
Gotcha. While I question the true cacheability of this scheme, I see the
benefits of an optional opaque identifier wrt "replay".
Perhaps a better name is an optional revocation identifier? If present, the
recipient should check the revocation list (aka the presence of the
corresponding DNS entry).
I think beneficial cacheability is suspect because the domains most likely to
issue revocation identifiers are large free providers who will generate a huge
number of ids and recipients domains are likely to see a small random number of
these during any caching period.
Nonetheless, the cost is largely the aggregate inbound queries borne by large
providers. A smaller domain is unlikely to receive a huge number of different
opaque ids, so the burden is fairly allocated.
So, regardless of the true cacheability of such ids in practice, it seems like
a pretty reasonable approach.
Mark.