ietf-mailsig
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DKIM KEY SSP Override Option [was Re: The cost of choices]

2005-07-30 13:15:20
from [Jim Fenton] [Permanent Link] 

Michael Thomas wrote:
We've thought quite a lot about this and it really looks like the only reasonable way to deal with this is to segregate the traffic into different subdomains (yes, I hear the groans) with different policies. The alternative is that you need to enumerate all of the policies at one level of the DNS tree which is unattractive 
given MTU considerations.  Thus, you'd want:

_policy._domainkey.biz.santronix.com. IN TXT "o=!;"

_policy._domainkey.santronix.com. IN TXT "o=-;"

or something like that.
There is one other option, which is to make signing policy granular at the user level (o=^, or USER in Hector's terminology). This needs more analysis, but may involve a lot of DNS lookups (plus the potential for an attacker to cause more by sending lots of messages from random addresses in the domain). 

-Jim
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SSP outbound signing policy, Jim Fenton
Next by Date:  RE: MASS BOF: things to accomplish, Hallam-Baker, Phillip
Previous by Thread:  Re: DKIM KEY SSP Override Option [was Re: The cost of choices], Michael Thomas
Next by Thread:  Re: DKIM KEY SSP Override Option [was Re: The cost of choices], Jim Fenton
Indexes:  [Date] [Thread] [Top] [All Lists]