On 4/14/2015 5:43 PM, Scott Kitterman wrote:
We should not expect anything different for a domain finding its
network of signers. If it doesn't know its list of signers, then it
just registered what it can and create a relaxed DMARC policy.
Which is completely orthogonal to the question. Scale for this is about scaling
the data collection and DNS record publishing.
Ok, so what else is different for any DNS based application? It is
far more simpler to
DMARC+TPA/ATPS method:
1a) Publish your ADID+SDID zone record,
1b) Have Receivers do a ADID+SDID lookup for existence. A positive
result
provides the SDID authorization as a signer.
then use a dual signature @FS=SDID method:
2a) Change signer code to add a secondary signature, lets assume
the simpler
do it for all, the global vs selective dual signing.
2b) Change the receiver to look for @fs=SDID logic and use this
explicit
signature as an implicit indication that ADID authorizes the SDID.
In both cases, you got an extra DNS check. i don't think you will have
everyone doing 2a as a global outbound dual signer, but lets say thats
done by most, now you have the incentive for the bad guys to create
fake facsimiles of replayed mail. You don't have this under #1.
My essentially one person domain would have a more complex forwarder/mailing
list list than the SPF records of even the largest providers.
Ok. I have a feeling you would be fine, :) nonetheless. If exposure
with @FS=SDID is ok, and looking directly for the SDID under the ADID
zone is functionally the same, then why should companies who are
perfectly capable of scaling and managing the ADID/SDID zone be
limited to a more weaker more costly code changing solution?
Why is there a presumption that this "scale" problem is universal?
--
HLS
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
