[ietf-dkim] The URL to my paper describing the DKIM policy options
Scott Kitterman
ietf-dkim at kitterman.com
Wed Jul 26 09:21:59 PDT 2006
On Wednesday 26 July 2006 11:54, Bill.Oxley at cox.com wrote:
> Scott,
> I think that each domain would have a public key and the aggregator MTA
> that is shared would sign on behalf of that domain
> Jobob.com uses mx.isp.com to send mail
> jobob.com would have a dns record containing public key information
> mx.isp.com would sign using jobob.com keys.
>
> Now conversely keeping jobob.com keys updated in a timely manner would
> be time consuming so perhaps isp.com would have a policy that
> I sign all mail
> And maintain a single record. This would be trivially spoofable until
> the message hits the verifier which would then fail the signature.
And this is where there might be a complexity trade-off that is worth
considering.
If our policy protocol gives jobob.com the ability to say "all mail is signed
and the signer is isp.com" then the need for the added management complexity
associated with multiple keys for multiple domains on the same host is
mitigated.
It is, of course, important to note that this would place a requirement on
isp.com to ensure that messages it signed on behalf of jobob.com really were
from jobob.com.
Scott K
More information about the ietf-dkim
mailing list