I sensed my name invoked and was compelled to join the melee. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ietf-dkim- > [EMAIL PROTECTED] On Behalf Of Al Iverson > Sent: Wednesday, April 30, 2008 8:15 PM > To: DKIM List > Subject: Re: [ietf-dkim] end-users vs filtering engines > > On Wed, Apr 30, 2008 at 7:02 PM, Dave Crocker <[EMAIL PROTECTED]> wrote: > > > While perhaps it closes off some particular names, it does not close > off the > > class of attack at all. > > > > It is one thing to have a mechanisms that makes it incrementally more > > difficult for an attacker to succeed. It is quite another to make it no > harder > > at all. If all the attacker has to do is register a new name and use a > > string-replacement on their previous attack, we do not have any > meaningful > > added protections. > > Dave, this actually reads as though you suggest we throw out ADSP all > together. I don't see how this limit doesn't apply to ADSP regardless > of tree walking functionality. > > > >> So the question is what sort of mechanism is going to benefit from > > >> locking sub-domains, but not cousin domains? How is the benefit > > >> meaningful? > > > > > > I don't understand the question but I suspect it's a variant of > what's > > > already been asked and answered. Is there something new here? > > > > Asked, yes. Answered, I don't think so. > > Well, I certainly proposed one potential scenario where sub domain > locking would be useful (to me, arguably not to you). Archives suggest > Michael Hammer would prefer sub domain locking, as have Jim Fenton's > comments. Perhaps they could theorize an example or two of where and > how this would be useful to them. >
Cousin domains are orthogonal to the ADSP issue. Focusing on subdomains, I believe it may be useful for both senders and checking receivers if a domain were to be able to assert whether it's policy applies to all of it's subdomains. Given that we don't know how receivers or reputation services might utilize such an assertion, I would avoid must or should for a check at this stage. My reasons for stating this is as follows: 1) In my estimation, ADSP is particularly useful for both senders and receivers if it asserts that all mail is signed and/or discardable. There is certainly some value if limited to only a specific domain/subdomain but potentially greater value if an assertion can be made that covers part or all of a tree. This allows a domain owner to make a broader statement about it's practices. 2) The ability to make a policy assertion across the board from a base domain may empower receivers and reputation services in their efforts to identify "good" - as in conforms to signing policy - vs "bad" as in does not match the domain owners stated policies through the mechanisms they are empowered to express them through. ADSP is (or should be) a public mechanism to extend and replace the private one-on-one agreements/relationships that a handful of senders and receivers have engaged in to fight (forged) spam and phishing prior to having a public standard based option. 3) If such a policy assertion is included in ADSP then I have abiding faith and confidence that there are those legitimate receivers and reputation services that will take advantage of such an assertion. I wouldn't even mandate any sort of tree walking, MX checks, NXDOMAIN checks, etc on the receiver side with regard to such a policy assertion. The assertion could be something as simple as a=y where "a" is all subdomains sign and y is yes. I want to emphasize that I am not currently at the point where the domains I work with could make such a policy assertion but I am close (maybe one exception per domain tree) and would strive to get there if I were empowered through ADSP to make such an assertion. What I would like to hear from software providers, receivers and reputation folks is whether they would see a benefit from or take advantage of such assertions by (particularly) large heavily phished domains and other domains in general? Ultimately, I'll implement whatever I can get from this ADSP process whether narrowly scoped or more broadly scoped. As I see it we are incrementally closing off specific spaces from specific types of abuse. Nothing more and nothing less. For our website (brand) domains) we have intentionally restricted the subdomains that we send email from. The ability to assert signing for all subdomains in a tree makes it clear to receivers that any subdomain in that tree should have a valid signature....even subdomains that exist but are not necessarily used for email currently. If need be we will publish an ADSP record for every domain we use. Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html