On Jul 21, 2005, at 5:14 PM, Dave Crocker wrote:
2. Are there issues in that review that you find inadequately
covered in the
current DKIM specification, such as its Security Considerations
section?
A few comments...
1) Section 9.4 doesn't say anything about DNS cache sizes. Since
caches are a huge part of the robustness of DNS, I think it is
important to mention.
2) Also, the sentence "Secondly, the types of DNS attacks relevant to
DKIM are very costly and are far less rewarding than DNS attacks on
other Internet applications." from 9.4 is very generalized. What are
these attacks against the DNS for the sake of compromising DKIM? How
are these different than attacks against the DNS for other
applications? And given that spam is a huge problem on the Internet,
how is the value judgement made regarding their reward compared to
other applications (yes, this is nit-picky)?
3) The first solution in 9.5 seems to be talking about a service that
does not exist and lends itself to abuse, and the second seems to be
fairly heavy-weight and possibly not very effective (at least from
their limited descriptions). Perhaps those paragraphs should be
struck and the section should be left with only a description of the
attack.
4) I like 9.6. I had to reread it for it to sink in. Perhaps the
last sentence should be removed as it now appears unnecessary.
5) Section 2.3 of mass-sec-review seems to be asking questions
related to the current charter battle.
-andy