On Sat, 2006-05-27 at 08:49 -0700, Paul Hoffman wrote: > At 7:24 AM -0700 5/27/06, Douglas Otis wrote: > > >If a bad-actor compromised a system handling the private key half of the > >published key at d=co.uk, or got lucky cracking the key with a massive > >bot-net or specialized hardware, then they would be able to generate > >messages with email-addresses annotated as verified for _all_ of > >*.co.uk. Compromising a key high in the hierarchy, per the current > >draft, would have a huge pay-off when spoofing messages. > > This is in the "movie-plot terrorism" realm.
What exactly is far-fetched? DKIM keys and MTA use at the xLDs does not currently appear to be an immediate concern, allowing this provision, where any parent domain is assumed authoritative for all sub-domain email-addresses, gives high-level domains a tremendous advantage over other email service providers for outbound services. A high-level domain could offer email-address validation for a broad range of email-addresses. There does not seem to be any prohibitions regarding the use of outbound MTAs at xLDs, although there may be practical reasons for this not being done today. This provision provides a market incentive for the undesired deployment of keys at these levels. The absurdity seems to be the authoritative assumption. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
