[ietf-dkim] Delegating responsibility: a make vs. buy design
dotis at mail-abuse.org
Fri Aug 18 13:41:09 PDT 2006
On Aug 18, 2006, at 1:32 PM, Jim Fenton wrote:
> Scott Kitterman wrote:
>> What security problems are there with a list of authorized signing
>> domains that are not equally applicable to the the NS delegation/
>> operator signs with the author's domain approach? I'm unclear
>> about that. Maybe we can help each other out.
> With key delegation (either with NS, or by publishing a TXT record
> with a public key that the signing operator uses), the operator
> signs using the author's (or more generally the delegator's) domain
> name, and can use i= to specify that the signature corresponds to
> the author's address. So it's possible to see that it's an author
> signature. With authorized signing domains, the operator signs
> using its own domain name, and no association with the specific
> signing address (either the local-part, or specification of which
> delegated domain) is possible.
This is a valid point.
Either a listed domain must be assumed to have validated the
2822.From address "as-if" the 'i=' syntax were used, or a flag must
be included that indicates whether the 2822.From should be considered
The "invalid" flag is not needed, but Hector will want to be able to
list who signs even when the 2822.From is not validated.
More information about the ietf-dkim