Doug, Thanks for the clarification, so an assertion for subdomains that can "opt out" of parent signing systems so that [EMAIL PROTECTED] is authenticated with sig and [EMAIL PROTECTED] is not? Thanks,
Bill Oxley Messaging Engineer Cox Communications, Inc. Alpharetta GA 404-847-6397 [EMAIL PROTECTED] -----Original Message----- From: Douglas Otis [mailto:[EMAIL PROTECTED] Sent: Thursday, June 01, 2006 3:28 PM To: Oxley, Bill (CCI-Atlanta) Cc: [EMAIL PROTECTED]; ietf-dkim@mipassoc.org Subject: Re: [ietf-dkim] draft-ietf-dkim-base-02 // Parent signing securityconsiderations On Jun 1, 2006, at 11:57 AM, <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> wrote: > > Just so that I can understand clearly, TLD offers signing ability > to those who don't want to develop or buy their own. > > So bar.com offers to sign for [EMAIL PROTECTED] No. Imagine a TLD wants to promote use of certificates for exchanging emails. These outbound services could only be used for email- addresses within their domain for the email-address to be marked as verified (included within the i= parameter). A TLD of .foo could sign a message that validates any email-address within the foo domain. This could be [EMAIL PROTECTED] that uses a signature with [EMAIL PROTECTED] d=foo. > However by bringing cetificated messages frm [EMAIL PROTECTED] you are > assigning a reputation to that signature that DKIM presents. Assume DKIM becomes the more widely adopted convention used for verifying signed messages. The certificate would be used only to gain access to the TLD's outbound servers. Reputation would likely be based upon the foo signing domain, as you seem to be suggesting. It is unlikely a reputation service will create reputations for individual email-addresses. The basis for identifying a culpable entity seems too weak to risk possible litigation. Reputation services may report specific messages to the signing domain for confirmation and resolution. (The Opaque-Identifier revocation option was intended to provide a scalable and timely method for curtailing abuse of this type.) Contrary to the base draft claim of relying upon the email-address, receivers are more likely to focus upon the signing domain with respect to messages acceptance. Aggregating more email-addresses behind a common signing domain introduces the issue of greater collateral blocking. Although parent signing will simplify the handling of email-addresses received with wildcard MX records, this convenience for the transmitter increases the burden on the receiver. This added burden for the receiver is highly counter productive when abating abuse. > That is not a valid assumption as plenty of bar.com's for a fee > would be happy to sign for any spammer that shows up with cash. > This is inevitable. Agreed. It makes the TLD and CA money, while also introducing conflicts with respect to who is really authoritative. Many criminal spammers already hide by utilizing shared resources. Allowing the parent to be authoritative will also increase the number of these shared hiding places. : ( -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
