[ietf-dkim] New issue: Signing by parent domains

[Bill.Oxley at cox.com]

Jim,
So if they use our mta's The signatures would in fact be from cox.com as
I don't believe there is a method to have us sign as foo.com as the
reverse lookup for foo.com wouldn't match where the mail is coming from,
unless I am missing a lot here.
Please explain,
Thanks,

Bill Oxley 
Messaging Engineer 
Cox Communications, Inc. 
Alpharetta GA 
404-847-6397 
bill.oxley at cox.com 

-----Original Message-----
From: Jim Fenton [mailto:fenton at cisco.com] 
Sent: Thursday, April 13, 2006 6:42 PM
To: Oxley, Bill (CCI-Atlanta)
Cc: ietf-dkim at mipassoc.org
Subject: Re: [ietf-dkim] New issue: Signing by parent domains

Bill.Oxley at cox.com wrote:
> As an ISP we route customer mail thru our mta's, we have business
customers that may use their own mta's. If a customer determines that
entity at foo.com wishes to use use bar.com's mta are you saying that
bar.com should not sign on foo.com's behalf? Will that no present a
problem with the reception of foo.com's mail down stream when dkim sigs
are expected everywhere? How do we resolve that?
>   
Bill,

This is a different issue entirely.  Currently, foo.com is automatically
entitled to sign for addresses in subdomains, e.g., user at sub.foo.com,
without any additional publication of keys.  This doesn't affect the
ability of foo.com to delegate authority to sign messages to bar.com.

So as an ISP, your customers would have the choice of signing messages
themselves using their own MTAs, or allowing you to sign messages for
them by publishing public keys (selectors) in DNS which correspond to
private keys you hold.  In any case, it's also OK for you to also apply
a signature as cox.com if you want, although for SSP purposes this would
be considered a "third party" signature since it isn't a signature on
behalf of the origination address.

-Jim