On Jun 14, 2014, at 3:35 PM, [email protected] wrote: >>>> If a signature has an rsf= tag, verifiers ignore it unless there's a >>>> matching signature from a domain the rsf= points to. >>>> >>>> This is not backward compatible, since verifiers that don't understand >>>> rsf= will often get the wrong answer, so it needs a version bump. >>> >>> Can't both the version bump issue and the token signature issue be >>> ameliorated by incorporating the token signature in the DKIM-Delegate >>> field? > >> Yes, you could do the equivalent of the version bump by changing the >> name of the header, but I don't see the point. > > If you're going to bump the version, you need to use the opportunity to > solve the more general underlying problem.
+1 ... And then some. > I'm not sure I can completely characterize that problem, but it's something > along the times of there need to be some way to state the intention behind > this > particular signature. Is this a signature tied to use by third parties? > Whitelisting? Something else? The theoretical solution is a DNS-based lookup with an in-band optimizer, like a DKIM-Delegate. I say it is the only practical and most cost effective solution based on implementation experience (minus the optimizer). The problem I sense is learning who to whitelist automatically out of the box and the management for the whitelist. Yahoo says they need 30k whitelist records. I don't see why that is a problem for them. They got the money to manage it. No? It's not going to be problem for me, you and most domains. Most domains are not going to need such scale or expect to be authorizing anyone else but themselves. Besides, we are talking software -- let it do the work. Personally, it's getting ridiculous. So much time being wasted. -- Hector Santos http://www.santronics.com _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
