On Sun, May 10, 2015 at 10:42 AM, John Levine <[email protected]> wrote:
> I find that between the axiom and your observation that third party
> trusted entities do not scale, you can pretty quicky tell whether a
> proposed hack is likely to be workable.
>
A re-signing scheme also has to have some mechanism for deciding which
third parties get the endorsement ("@fs=") from the author domain. One
might think of that as a "registry" with similar problems to those we've
been discussing, but it's just an entirely private one. So I'm not sure we
can plainly say registries are off the table, because you always have to
have some way to decide whether to affirm the relationship. It's a matter
of the method by which you do so.
But in your case, that registry doesn't need to be published anywhere; it's
implicit in the signature parameters, and is much easier to control
tightly, because it's per-message, and DKIM has a lot of parameters to play
with.
-MSK
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
