On Thu, 2006-04-13 at 07:55 -0400, [EMAIL PROTECTED] wrote: > > As an ISP we route customer mail thru our mta's, we have business > customers that may use their own mta's. If a customer determines that > entity at foo.com wishes to use use bar.com's mta are you saying that > bar.com should not sign on foo.com's behalf? Will that no present a > problem with the reception of foo.com's mail down stream when dkim > sigs are expected everywhere? How do we resolve that?
This is a different problem than being signed by a parent's domain. The risks associated with the parent domain problem extends to general access to the parent's signing servers, and not whether their private keys were compromised because of the issue you raise. The signing-domain is not responsible for the use of the email-address per the i= parameter, especially in the case of the parent domain. The i= parameter should not permit inclusion of a sub-domain. This _assumes_ per-user constraints where i= values are not simply obtained from the message for administrative convenience to "improve" message acceptance. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
