On Friday 18 August 2006 13:49, Michael Thomas wrote: > Scott Kitterman wrote: > >On Thursday 17 August 2006 16:50, Dave Crocker wrote: > >>This mechanism already exists, is notably simpler than the one being > >>discussed, and does not suffer the security hole that has been noted. > >> > >>Simply stated: > >> > >> If the author's domain is to be used for assessment activities, then > >>have the signature be made with a domain that is directly related to the > >>author. > > > >As was already discussed in the comments to the requirements draft, not > > all DNS providers give their customers the ability to do subdomain level > > NS delegation and so while that approach is good for those who can do it, > > it leaves out a portion of the potential user base. > > Let's be very clear here: not every DNS provider has the ability to do TXT > records either. Those small businesses, etc, should either pressure > their providers > or vote with their feet.
Agreed, but in the interests of deployability, we ought to keep the barriers to deployment as low as we reasonably can. I already keep a list of name registrars and DNS providers that support TXT to make it easier for people to vote with their feet. Let's not end up with someone having to do the same for subdomain NS delegation: http://www.kitterman.com/spf/txt.html I think that an explicit list of 'authorized' signers is reasonably doable with reasonable risk, but obviously opinions differ. At this point, IIRC, it's a provisional requirement in the requirements draft. Given the concerns I think it's reasonable to leave it at provisional. Let's leave it that way in the requirements phase and see what we can work out when we do the actual design work. If it isn't practical or if the consensus is that it's to risky, we can, and should, drop it then. Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html