On Aug 3, 2006, at 9:25 AM, Michael Thomas wrote:
Mark Delany wrote:
NS delegation works for exactly one provider. This is probably
just fine for a pretty reasonable swath of small business, but it
really doesn't addresss the whole spectrum. For example, if I
outsource my mail to isp.com, I'm also pretty likely to outsource
my email campaigns to advertisomatic.com too.
Right. I wasn't really trying to address the whole spectrum. The
suggestion is that the common case is not as hard as it seems some
are saying. More importantly, the common case need not involve
third-party signatures.
But do we really know if the common case really works for the
common solution (ns) that we're envisioning? You sign for a lot of
domains, but do you really know what other mailing services that
your customers are using? If many/most are also using outsourced
third parties as well as your regular mail service, then that mail
will not have valid signatures until you provide an interface to
publish their selectors.
like there would be some advantage to do the indirection at the
protocol layer (eg, SSP) rather than at the DNS layer (eg NS).
Sure, in this scenario you need a multi-indirection capability,
regardless of the technology you use. But is this saying anything
more than complex requirements require complex deployments?
The more general question I guess is how much do we want to get
into defining management mechanisms? Largely I'd think such things
don't require standardization and might benefit from a competitive
landscape.
I certainly don't want to get into that definition, but the
question is whether the deployment model is even plausible. Your
opening up this management interface for their _domainkey space
strikes me as a pretty esoteric, high cost/low gain kind of
proposition from the service provider's standpoint. Wouldn't it be
better if there were a way for you to shift that burden back onto
your customers reasonably?
Agreed. A list of designated signing domains would be this
mechanism. All that would be required of the DKIM provider would be to:
1) Authenticate all accounts.
2) Verify reception of any From email-address used by these accounts.
Both 1 and 2 should rather simple. Step 2 should represent
essentially the same process as used to subscribe to a mailing list.
Both of these are rather simple to automatically administer. Neither
of these steps will involve making DNS changes in order to satisfy
their users.
The effort is moved to the user, where they can designate the DKIM
provider that they use and also believe to be doing the right thing.
This information then informs the recipients which identities might
be trusted based upon assurances made by the signer and the policy of
the From domain.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
