On Aug 29, 2006, at 11:02 AM, Hallam-Baker, Phillip wrote:
The point I was trying to make here is that if I delegate any part
of my DKIM key record space to your system you now have the ability
to produce email messages that authenticate as coming from me.
Regardless of any statement that might appear in the DKIM spec I
can't see my CISO accepting a situation where I delegate to a third
party the ability to sign on behalf of my CEO. You can claim that
the signature is not transactional as much as you like, I don't
think such a statement would be supportable.
We could continue to go the NS record route but why tell people to
use a mechanism that has serious security problems, does not expose
the desired information, does not provide as much control, is
vastly more complex and requires use of very powerful DNS constructs?
I think that the presumption here should be against use of
mechanisms like NS or CNAME if the use case is adopted unless it
can be shown that there is no other way to achieve the outcome.
Agreed.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
