On Fri, 2006-05-26 at 18:24 -0700, Paul Hoffman wrote: > At 6:08 PM -0700 5/26/06, Douglas Otis wrote: > >... [EMAIL PROTECTED] d=co.uk > > > >Currently this is permitted in the base draft which indicates the > >parent domain is authoritative for sub-domains. > > This is absurd. Under which scenario would a signer in > some-domain.co.uk possibly put d=co.uk in their signature?
If a bad-actor compromised a system handling the private key half of the published key at d=co.uk, or got lucky cracking the key with a massive bot-net or specialized hardware, then they would be able to generate messages with email-addresses annotated as verified for _all_ of *.co.uk. Compromising a key high in the hierarchy, per the current draft, would have a huge pay-off when spoofing messages. By not allowing this unconfirmed assertion that the "parent is always authoritative for email-addresses within sub-domains" removes any special concern that exists with regard to MTA security at some higher level. Remove this baseless assertion and then security can be strengthened according to the need at the level being verified. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
