Steve Atkins wrote: > On Mar 11, 2008, at 11:16 AM, Dave Crocker wrote: > > >> Again, to repeat what I said at the mic: >> >> The current, 3-step procedure is certainly an improvement, however I >> do not >> understand the need for the second step, in terms of ASP >> functionality. >> >> In any early discussion of this, I believe Jim said he thought it >> was a >> carry-over from an earlier version of the spec where the need was >> more clear. >> >> In any event, I think the current question is: What is it about ASP >> -- as >> opposed to concerns outside of ASP's scope -- that requires checking >> for domain >> existence? >> > > Without that check, an unsigned mail from [EMAIL PROTECTED] will be > considered to comply with ASP unless there is an ASP record for > _asp._domainkey.bar.baz.ebay.com or for _asp._domainkey.baz.ebay.com > > It's difficult to publish a wildcard ASP record with standard DNS > servers. So there is no easy way to publish an ASP assertion for "my > domain and all subdomains of it". It is only possible to publish an > ASP assertion for a finite list of hostnames. > > The domain existence check means that only a defined number of ASP > records need to be published (the number of hostnames you publish > would be an upper bound unless you're using wildcards anywhere else in > your DNS, in which case all bets are off). > > Removing the check removes the ability for a domain owner to make an > ASP assertion about all possible subdomains of that domain. It seems > within scope for ASP. >
Steve, thank you for refreshing my memory on this. I would state it a little differently now since SSP doesn't really have a "comply", that an unsigned message from the domain bar.baz.ebay.com will be considered to have an "Unknown" ASP unless... So yes, it is important that we keep this. -Jim _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
