[ietf-dkim] New issue: ssp-requirements-01 // Designated Signing
Domain Scenario missing
dotis at mail-abuse.org
Thu Sep 21 14:10:06 PDT 2006
On Sep 20, 2006, at 11:10 PM, Jim Fenton wrote:
> The language you're suggesting here sounds like it's suggesting a
> design (use of Designated Signing Domains) rather than a
> requirement (ability to delegate signing authority). I'd prefer to
> see something much more general, i.e. that it be possible to
> delegate signing authority under the following constraints (...).
One of the goals in adding this section, or having this document, is
to develop clear and succinct terminology.
Does this look better?
o DKIM Delegation: Delegating to a different domain, through DNS zone
delegation or key sharing, where this different domain transparently
signs as the delegating domain.
o Designated Signing Domain: Designating a different domain, through
an email-address policy reference of the different domain, where the
different domain's signature is then considered equivalent to that
of the delegating domain for the purpose of evaluation other policy
4.6. Scenario 6: Designated Signing Domain
Many domains do not run their own mail infrastructure, or may
outsource parts of it to third parties. It is desirable for a domain
holder to have an ability simply designate that other entities sign
for them as being equivalent to a first party signature for the
purpose of evaluating other policy assertions.
One obvious use scenario is a domain holder for a small domain that
wishes to allow their outgoing ISP to sign mail on their behalf. As
with outsourced first party signing, other use scenarios include
outsourced bulk mail for marketing campaigns, as well as outsourcing
various business functions such as insurance benefits, etc.
As with outsourced first party signing, the provider of the designated
domain must be considered trustworthy and held in high esteem by the
designating domain. The ISP does not select a key referenced from
a domain controlled by a customer. Instead the provider may ensure
only validated email-address are signed by a "clean" domain intended
to be suitable for the purpose of being designated in their customer's
DKIM policies as offering valid email-addresses.
DKIM policies should be able to designate a different domain without
also asserting that an email-addresses contained within the messages
have been validated. This would be roughly equivalent to a signature
lacking the 'i=' parameter.
The ISP is assured better protection of their IP addresses by receiving
DKIM related abuse reports. Control of semantics regarding the validity
of email-address is retained by domain owner.
More information about the ietf-dkim