On 10/5/09 8:54 AM, John Levine wrote: >> Perhaps the appropriate answer might be an update or addendum to best >> practices document or an informational document. > > Sure. What I've been hearing tells me that people need better DNS > provisioning tools, not another wart in DKIM.
John, Creating a method to "authorize" mailing lists might represent such a use without causing a wart to appear. Suggesting mailing lists arrange selectors that perhaps use CNAME references arranged by authorizing domains to point to their current public key, to then allow these third-party domains to become indistinguishable from the domains offering authorization represents an unsatisfactory and insecure approach, and this should be seen as a wart. Selector or key exchanges would also represent the coordinated interaction between from two or more administrators, that will need to be maintained as selectors or keys are updated. There was a suggestion on par with ADSP that used a single query to answer whether some party had been "authorized" to sign on behalf of the domain. This approach scales to _any_ level without requiring additional queries. This approach only requires a single administrator to make the authorizations, without coordination with the signing domain being authorized. I would be happy to update the draft that gave an example how this might be done. The suggestion that careful and routine coordination between two or more domains, to accomplish what would appear to represent a first party signature, overlooks the value of having a clear "authorization" of a third-party signature. DKIM policies, in a similar manner as that of ADSP, could be conveyed and likely offering actionable information for a greater percentage of the grey area cases where this policy information is most needed. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
