On Oct 14, 2006, at 7:49 AM, Scott Kitterman wrote:
I think it would be better to leave it in, but the use cases I was
particularly concerned about have been addressed, so I no longer
think it's essential.
A designated scheme is still desirable, perhaps even essential. Use
of CNAMEs may be seen as an alternative to DNS delegation, but the
CNAME technique still means:
1) A third-party controls your private key signing as your domain.
2) The DKIM directed feedback will not be sent to the affected domain.
3) Confirmation that CNAMEs are properly implemented may not happen
prior to signing.
4) Customer signing requires unique keys rather than unique sub-domains.
5) Valid messages without valid keys will become more common.
6) Key roll-over may unexpectedly expose customer configuration errors.
7) Customer's DNS implementation may be internally fragile when the
reference of a CNAME is assigned a different address.
8) Details related to the selectors used for the customer's domains,
whether email-addresses are to be asserted as valid, the TTL of the
keys, and whether this key applies to sub-domains must be exchanged
prior to signing.
Policy designating a signing domain will not affect the integrity of
the signing/key relationship. Designation allows an email-address
domain owner to independently decide whether their email-addresses
should be asserted as valid when signed by a provider's specific
domain. Designation relationships can be safely established at any
time in an autonomous fashion fully compatible with most email-
service arrangements. The minimal administration needed for
designation permits scaling to a greater number of customers.
Designation will increase the integrity of DKIM signed messages.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
