Dave CROCKER wrote:
On 11/30/2011 8:09 PM, Murray S. Kucherawy wrote:
As the draft says, the point is to make the idea available and see if
it sticks to anyone or anything. If the bulk senders (or receivers)
do decide they collectively want this, there's something for them to
try and report back.
if one thinks the mechanism is a bad idea, it's still worth having a
good document to describe it.l
The usual people with DKIM continue to utterly surprise me.
#1 The Author Domain verification was always in DKIM since its
conception, especially as a selling and marketing point, in its
presentations, and its description to news rags publishers. It was
sold DKIM to me as a proof of concept.
#2 It was burned into the APIs available.
#3 It was burned into your DKIM Architectural Framework RFC5585 and it
even included nice pretty ASCII-ART pictures that I am sure you are
proud of:
|
|- RFC5322 Message
V
+--------------------------------+
| Message Signed? |
+-----+--------------------+-----+
|yes |no
| |
|SDID/AUID |AUID
| |
V |
+-------------+ SDID/AUID |
| Verify +---------+ |
| Signature | | |
+------+------+ | |
pass| fail| |
V | |
+-------------+ | |
| SDID | | |
| Assessments | | |
| | V V
+-----+--+----+ +-------+
| | / Check \
| +--SDID-->/ Signing \
| / Practices \
| +-------+-------+
| |
V V
The issue was always how to implement it for 3rd party Signers once
the DKIM mindset in its eventual RFC changed to a 3rd party signer
TRUST vendor and vainly tried unsuccessfully to remove the Author
Domain from the DKIM picture.
The methods for 3rd party Authorization were long conceived and the
only problem was how to scale it in DNS. This I-D simply took and
existing idea of having an Authorized Signer List (ASL) and offers a
way to scale it.
We are probably the only vendor in the market to actively supports
both the ASL idea and the ATPS idea. This is a web-based wizard we
provided to customers before an internal version was provided:
http://www.winserver.com/public/wcadsp/default.wct
It allows for DKIM author domains to create DNS records with ASL tags
for ADSP records and also add ATPS sub-domain records with the BASE32
hash of the ASL domains.
The bottom line, the proof of concept works, just like it always did
since it Author Domain validation was originally conceived in DKIM
v1.0. The ASL and ATPS ideas simply offers a way to address the
long time issues of the 3rd party signer.
The idea is good for the smaller scale. For the larger scale, it still
remains a problem.
Implementation wise, it is very complex and unless the DKIM system
offers the automation tools, its harder to get the layman operator to
begin doing it on its own. After all, with ATPS, you have to get a
utility to do the BASE32 hashing.
Finally, the public Wizard focused on Windows based records, a real
one has to cover both and its needs to be BATCH so that any updates
are automatically and/or delayed updated in the DNS server databases.
i.e. individual updating was not good enough.
Thanks
--
Hector Santos, CTO
http://www.santronics.com
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf