On April 14, 2015 6:44:32 PM EDT, Hector Santos <hsan...@isdg.net> wrote: >On 4/14/2015 5:43 PM, Scott Kitterman wrote: > >>> We should not expect anything different for a domain finding its >>> network of signers. If it doesn't know its list of signers, then >it >>> just registered what it can and create a relaxed DMARC policy. >> >> Which is completely orthogonal to the question. Scale for this is >about scaling the data collection and DNS record publishing. >> > >Ok, so what else is different for any DNS based application? It is >far more simpler to > >DMARC+TPA/ATPS method: > > 1a) Publish your ADID+SDID zone record, > > 1b) Have Receivers do a ADID+SDID lookup for existence. A positive >result > provides the SDID authorization as a signer. > >then use a dual signature @FS=SDID method: > > 2a) Change signer code to add a secondary signature, lets assume >the simpler > do it for all, the global vs selective dual signing. > > 2b) Change the receiver to look for @fs=SDID logic and use this >explicit > signature as an implicit indication that ADID authorizes the SDID. > >In both cases, you got an extra DNS check. i don't think you will have >everyone doing 2a as a global outbound dual signer, but lets say thats >done by most, now you have the incentive for the bad guys to create >fake facsimiles of replayed mail. You don't have this under #1.
The difference is that in the second one the originator isn't required to have a comprehensive list of mediators in advance. I agree describing such a list in DNS wouldn't be that hard. The problem is creating and maintaining such a list for domains with non-trivial numbers of users. That includes the complexity of explaining to most of these users what a mailing list is. >> My essentially one person domain would have a more complex >forwarder/mailing list list than the SPF records of even the largest >providers. > >Ok. I have a feeling you would be fine, :) nonetheless. If exposure >with @FS=SDID is ok, and looking directly for the SDID under the ADID >zone is functionally the same, then why should companies who are >perfectly capable of scaling and managing the ADID/SDID zone be >limited to a more weaker more costly code changing solution? > >Why is there a presumption that this "scale" problem is universal? I could do it, but I'm pretty sure I'd categorize it as more trouble than it's worth. How many different schemes do you think receivers will deploy? I think we get at most one solution that requires changes at the sender and receiver. Whatever it is needs to work as broadly as possible. Even if your approach would work for small domains, I think it needs to work for large providers too to be worth pursuing. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
