[ietf-dkim] Delegating responsibility: a make vs. buy design
decision
Michael Thomas
mike at mtcc.com
Fri Aug 18 11:46:29 PDT 2006
Dave Crocker wrote:
>In other words, I suggested that use of classic DNS sub-domains provides the
>delegation features that cover the interesting cases for DKIM.
>
>I continue to be unclear what is superior about having SSP invent a new
>mechanism that creates security problems and additional administrative overhead.
>
>
Naively, I think there are some cases where the NS delegation mechanism
leaves
something to be desired and hence the desire to have a more passive
arrangement
between the domain holder and the signer. What I think we're finding is
that there's
no free lunch and that the seemingly desirable passive mode suffers
from unacceptable
security problems. If it turns out that the passive mode of delegation
is in fact active
after all (ie, requires agreement between domain holder/signer), then
the requirement
should be dropped since you're exactly right: we already have a means to
do that.
I think we're pretty much there, IMO. I'll let Stephen and Barry call
that though.
Mike
More information about the ietf-dkim
mailing list