On Aug 17, 2006, at 11:47 AM, Michael Thomas wrote:
Scott Kitterman wrote:
It gets back to is the signer controlled or uncontrolled. Only a
controlled signer is suitable for SSP delegation (this would be a
contractual matter between the ISP and their customers).
If that's really the case, I'm not sure why this idea has any merit
at all because we already have the means to do controlled
delegation using NS records, and it doesn't tickle any of these
problems.
Without the means to ensure _only_ valid 2822.From address are signed
by the domain, not being suitable as a designated domain is of lesser
importance. The untrustworthy 2822.From address would be a far
greater issue. This is not a hole that must be filled for a
designated domain list to be viable. A policy that lists the
authoritative domains can accurately convey whether assurances are
made with respect to the validity of the 2822.From address. No
domains listed, then there is no assurance of the 2822.From's
validity. Perhaps there needs to be a separate assertion regarding
the validity of the 2822.From address.
A large ISP may wish to take the steps needed to validate a 2822.From
address that is not within their domain. One can obtain an email-
certificate in roughly the same manner. This extra step would allow
this signing domain to be certified as suitable for DKIM domain
designation. It would also allow their customers greater freedom to
use desired email-addresses while knowing they are still protected
from being spoofed. Their recipients would also obtain assurances
made by a certified DKIM signing domain that the 2822.From address is
valid. When the domain of the 2822.From address designates this
signing domain, both parties reap the benefits afforded by the
greatly simplified administration.
If there is a choice offered, bet dollars to doughnuts that domain
designation within the 2822.From policy will be the preferred method
over DNS zone delegation for the majority of smaller outfits. This
approach should induce fewer support calls, require less back-office
overhead, and attract greater demand for the service provider
offering the simpler service. Without question, a larger outfit will
opt for the zone delegation approach. At the same time, it seems
many smaller outfits will find the ability to designate a signing
domain fairly attractive. This will likely afford smaller outfits
lower associated costs, and increased acceptance of their messages.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
