On Mon, 14 Apr 2008 18:58:19 +0100, <[EMAIL PROTECTED]> wrote:

>
>> To: ietf-dkim@mipassoc.org
>> Date: Mon, 14 Apr 2008 09:53:28 -0400
>> From: [EMAIL PROTECTED]
>> Subject: Re: [ietf-dkim] protecting domains that don't exist
>>
>> John Levine:
>> > > As someone pointed out, you can interchange steps 1 and 2 in the
>> > > specification, putting the existence check first.  And then, of  
>> course, you
>> > > can decide that the existence check is done outside ADSP.  If the  
>> existence
>> > > check is removed, I would advocate putting in language that says an  
>> existence
>> > > check SHOULD be performed before doing ADSP.
>> >
>> > That seems reasonable.  My objection (and I think also Dave's) is not  
>> that
>> > it's a bad idea, but that it's not part of DKIM or ADSP.
>>
>> +1
>>
>
> -1 I disagree. Having the NXDOMAIN check makes thh scoping boundaries of  
> ADSP explicit in the discovery algorithm. That is why I advocated making  
> it step 1. Anything that fails that test is explicitly outside the scope  
> of what ADSP covers. Without this explicit scope boundary the behavios  
> of different systems querying this data would become very unpredictable.  
> With the scope boundaries as defined by step 2 it is unequivocal that  
> any query for something that does not exist cannot be valid within ADSP.
>
Exactly. It is essential that the check be done, otherwise you don't even  
know whether ADSP is applicable or not.

And if it turns out that ADSP is not applicable, then the reader of the  
standard is entitled to ask "So what am I meant to do now?". To which we  
should at least give a minimal answer such as "This document cannot  
prescribe what action the verifier should take next, but it is not  
precluded that, as a matter of local policy, it might treat it as  
suspicious/discardable/whatever-euphemism-we-have-decided-upon".

And then, in the Security Considerations section you point out the  
opportunities for scammers that may be exploited if the verifier does  
nothing at all in this situation.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email:[EMAIL PROTECTED]: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Reply via email to