> As you point out, there are a few different ways that signing policy can > handle services. You can make the service name a "selector", or use a > tag similar to s= in the policy record. The latter doesn't scale as > well to large numbers of services, but the SSP records are short to > begin with, and I can't think of enough services to run out of UDP-space > for the policy.
For a new service that always signs and discards unauthenticated traffic, policy could be embedded in each selector. A global policy, with a well-defined namespace is only needed if unauthenticated traffic is possibly acceptable. Mark. _______________________________________________ ietf-dkim mailing list http://dkim.org
