Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

On Apr 9, 2008, at 11:43 AM, MH Michael Hammer (5304) wrote: > In response to the question Dave asks, I like the idea of providing > the option of protecting an entire (sub)tree within in a domain. My > question to the gurus is whether there is a clean way to identify > "main" domains below

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Dave, So I guess what we're talking about is to what "coverage" ADSP gives you. There are three options, not two: 1. The name itself, and nothing more. 2. The name itself plus one level down in the subtree. 3. The name itself plus all levels below it in the subtree. The current draft

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

> Dave, I'm not understanding how the algorithm can work if you omit > step 2 from section 4.2.2. It can't. > Without step 2 there is nothing example.com can do to protect its > name space. Right again. It would be a large mistake to remove step 2. Arvel __

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

On Wed, 2008-04-09 at 11:27 -0700, Dave Crocker wrote: > Does the working group assert the goal of covering entire sub-trees? > > Note that this isn't in the working group charter, the requirements > statement, > or even explicitly stated in the specification. (Getting myself up to speed...) I

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Date: Wed, 9 Apr 2008 11:27:27 -0700 > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > CC: ietf-dkim@mipassoc.org > Subject: Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a > domain tree > > I believe the Step 2 query only makes sense for A

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

> -Original Message- > From: [EMAIL PROTECTED] [mailto:ietf-dkim- > [EMAIL PROTECTED] On Behalf Of Dave Crocker > Sent: Wednesday, April 09, 2008 2:27 PM > To: Eric Allman > Cc: ietf-dkim@mipassoc.org > Subject: Re: [ietf-dkim] New Issue: protecting a domain na

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Eric Allman wrote: > Dave, I'm not understanding how the algorithm can work if you omit step > 2 from section 4.2.2. > > Suppose that example.com wants to assert to the world that it signs all > messages. It will create an ADSP record for example.com with the > appropriate assertion. Withou

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Dave, I'm not understanding how the algorithm can work if you omit step 2 from section 4.2.2. Suppose that example.com wants to assert to the world that it signs all messages. It will create an ADSP record for example.com with the appropriate assertion. Without step 2, all an attacker has to

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

> All that seems clear. I guess however, it still doesn't help me > with (an example of) why ADSP making a query and reacting to an > NXDOMAIN response as currently spec'd may be problematic. There is absolutely nothing in the least bit problematic about an NXDOMAIN query. If Dave wants this fun

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

> Date: Mon, 7 Apr 2008 14:32:25 -0700 > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > CC: ietf-dkim@mipassoc.org > Subject: Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a > domain tree > > > > [EMAIL PROTECTED] wrote: > > Li

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Dave Crocker wrote: > > > Stephen Farrell wrote: >>> One interpretation of this point is that the presence of a DNS entry >>> (that is, a 'failure' to get an NXDomain) might be meaningful, but >>> the scope of its meaning is much broader than ADSP. >> >> I'm not following that. Can you give

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Stephen Farrell wrote: > > Dave Crocker wrote: >> Whether ADSP can reasonably extract some semantics is an entirely reasonable >> line of question. > > Right. And that's the basis on which Barry and I think this worth > discussing again. Sorry, I should have said "a basis" above. Its been poi

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Can we just park the "was consensus reached/documented" aspect of this thread for a couple of days? I'll go back through the archive and see if the ball was dropped (by Barry and I) or not. But that'll take a day or two. S. Dave Crocker wrote: > Eliot, > > I am trying to be careful and specific

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Dave Crocker wrote: > Whether ADSP can reasonably extract some semantics is an entirely reasonable > line of question. Right. And that's the basis on which Barry and I think this worth discussing again. > What we need to see is discussion and consensus that it can and does and that > the bene

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Stephen Farrell wrote: >> One interpretation of this point is that the presence of a DNS entry >> (that is, a 'failure' to get an NXDomain) might be meaningful, but the >> scope of its meaning is much broader than ADSP. > > I'm not following that. Can you give an example? Even if its partly

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

I'm going to see whether we can actually have some constructive dialogue in this thread, by posting a message responding to a point that Eliot raised in a message that had a different focus: Dave Crocker wrote: > 3. At least one of the sub-tree mechanisms is attempting to glean > information

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Eliot, I am trying to be careful and specific in the things I am posting, here, and you and others need to be the same. My goal is to get discussion going. Yours appears to be to stop it. Unfortunately, that has often been at the root of problems in this working group. Let me repeat the bott

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Dave, 1402 and 1534 were specifically mentioned and discussed in Philly in Jim's presentation . In fact, between the two they've been discussed at multiple meetings.We know this because the mechanism has changed over time and was

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree (#1534)

Jim Fenton wrote: > As I noted in http://mipassoc.org/pipermail/ietf-dkim/2008q1/009713.html > , issue #1534 fell through the cracks when I was preparing my slides No problem, for the known reasons I (try to) stay out of sub-domain discussions. Swapping steps 1 and 2 in 4.2.2 might make sense:

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree (#1534)

Frank Ellermann wrote: > > I see no #1534 in the nine IETF 71 PDF pages, and > no 1534 in the jabber log. #1543 was discussed. > As I noted in http://mipassoc.org/pipermail/ietf-dkim/2008q1/009713.html , issue #1534 fell through the cracks when I was preparing my slides for Philadelphia and

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Wietse Venema wrote: > Wietse Venema wrote: > >>> a) DKIM is for declaring the presence of an accountable identity. >>> If a signature is present, you know something. If it is absent, >>> you know nothing extra. >>> >>> b) ADSP attempts to tell you something, in the absence of a >>> signature.

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Wietse Venema wrote: > >a) DKIM is for declaring the presence of an accountable identity. > >If a signature is present, you know something. If it is absent, > >you know nothing extra. > > > >b) ADSP attempts to tell you something, in the absence of a > >signature. It does that by defining somethi

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

On Apr 7, 2008, at 2:01 PM, Jim Fenton wrote: > Siegel, Ellen wrote: >> >> As long as such inheritance is possible, i.e. that a subdomain can >> automatically inherit from a parent domain, it must be true that >> we're discussing subtrees. > > There is an important difference. The subtree of

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Wietse Venema wrote: a) DKIM is for declaring the presence of an accountable identity. If a signature is present, you know something. If it is absent, you know nothing extra. b) ADSP attempts to tell you something, in the absence of a signature. It does that by defining something els

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Siegel, Ellen wrote: > > Jim, in your presentation to the ESPC you brought up the fact that one > reason to encourage sub-domains to publish 'unknown' ADSP records was so > that they wouldn't inadvertently inherit an ADSP record from a parent > domain. > > As long as such inheritance is possible,

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

[EMAIL PROTECTED] wrote: > Like others I am guessing that you are referring to section 4.2.2 step 2. Yup. >Since the domain doesn't exist the administrator can't have > been expected to create a policy for it so error seems like the right answer > to me. That presumes the goal of protectin

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

> Date: Sun, 6 Apr 2008 23:06:25 -0700 > From: [EMAIL PROTECTED] > To: ietf-dkim@mipassoc.org > Subject: [ietf-dkim] New Issue: protecting a domain name vs. protecting a > domain tree > > 3. At least one of the sub-tree mechanisms is attempting to glean >

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree (#1534)

Dave Crocker wrote: > it is not in the requirements : "Deployment Consideration 2: Subdomain Coverage" | Thus, it would be advantageous for SSP to not | only cover a given domain, but all subdomains | of that domain as well. I'm unhappy wit

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

> a) DKIM is for declaring the presence of an accountable identity. > If a signature is present, you know something. If it is absent, > you know nothing extra. > > b) ADSP attempts to tell you something, in the absence of a > signature. It does that by defining something else that must be > prese

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

> -Original Message- > From: [EMAIL PROTECTED] [mailto:ietf-dkim- > [EMAIL PROTECTED] On Behalf Of Jim Fenton > Sent: Monday, April 07, 2008 2:19 PM > To: [EMAIL PROTECTED] > Cc: ietf-dkim@mipassoc.org > Subject: Re: [ietf-dkim] New Issue: protecting a domain na

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Eliot Lear wrote: > As a matter of fact the way the issue was resolved was through Jim > Fenton's presentation at the last IETF, and not so much through online > discussion. OK. So I have now also reviewed: 1. Issue 1534 and its associated thread:

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

-Original Message- From: [EMAIL PROTECTED] on behalf of Barry Leiba Sent: Mon 4/7/2008 9:58 AM To: ietf-dkim@mipassoc.org Subject: Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree Eliot Lear said the following: > By my recollection, > this topic

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

On Apr 7, 2008, at 8:33 AM, Eliot Lear wrote: > Barry: >>> 3. At least one of the sub-tree mechanisms is attempting to glean >>> information from the absence of publisher action. Let me explain: >>> >> ... >> c) Checking for the presence of an A record is intended to try tell yo

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Since the Chairs have ruled that this warrants yet further discussion... Dave Crocker wrote: > Folks, > > This issue encompasses some others, but I believe it is more basic and > therefore > informs the others and therefore needs to be resolved separately: > > There is a basic difference bet

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Eliot Lear wrote: > Dave, >> I'll repeat that distinction: The current draft does not deal with >> exact-name >> vs. sub-tree issues as an explicit point of distinction; it has bits of each >> scattered around. As such, the specification is, at best, confusing on the >> distinction, nevermi

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Dave, > I'll repeat that distinction: The current draft does not deal with > exact-name > vs. sub-tree issues as an explicit point of distinction; it has bits of each > scattered around. As such, the specification is, at best, confusing on the > distinction, nevermind incomplete on the tree c

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Barry Leiba wrote: > Eliot Lear said the following: >> By my recollection, >> this topic alone has been discussed at at least two - and possibly three >> - working group meetings. Please advise. > This topic has definitely been discussed a number of times. The focus of my note wason the con

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Barry: >> 3. At least one of the sub-tree mechanisms is attempting to glean >> information >> from the absence of publisher action. Let me explain: >> > ... > >>> c) Checking for the presence of an A record is intended to try >>> tell you >>> something in the absence of an ex

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Eliot Lear said the following: > By my recollection, > this topic alone has been discussed at at least two - and possibly three > - working group meetings. Please advise. This topic has definitely been discussed a number of times. And Stephen and I have discussed Dave's note from today, and t

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Eliot Lear wrote: > Dave, Chairs, > > Why isn't this a duplicate of Issue 1402 > ? By my recollection, > this topic alone has been discussed at at least two - and possibly three > - working group meetings. Please advise. It does look similar.

Re: [ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Dave, Chairs, Why isn't this a duplicate of Issue 1402 ? By my recollection, this topic alone has been discussed at at least two - and possibly three - working group meetings. Please advise. Eliot Dave Crocker wrote: Folks, This issue enc

[ietf-dkim] New Issue: protecting a domain name vs. protecting a domain tree

Folks, This issue encompasses some others, but I believe it is more basic and therefore informs the others and therefore needs to be resolved separately: There is a basic difference between trying to protect a single domain name, versus trying to protect an entire sub-tree. 1. The DNS wa