[ietf-dkim] 1360, "delegation" vs "designation".

[Douglas Otis]

On Oct 14, 2006, at 7:49 AM, Scott Kitterman wrote:

>
> I think it would be better to leave it in, but the use cases I was  
> particularly concerned about have been addressed, so I no longer  
> think it's essential.

A designated scheme is still desirable, perhaps even essential.  Use  
of CNAMEs may be seen as an alternative to DNS delegation, but the  
CNAME technique still means:

1) A third-party controls your private key signing as your domain.

2) The DKIM directed feedback will not be sent to the affected domain.

3) Confirmation that CNAMEs are properly implemented may not happen  
prior to signing.

4) Customer signing requires unique keys rather than unique sub-domains.

5) Valid messages without valid keys will become more common.

6) Key roll-over may unexpectedly expose customer configuration errors.

7) Customer's DNS implementation may be internally fragile when the  
reference of a CNAME is assigned a different address.

8) Details related to the selectors used for the customer's domains,  
whether email-addresses are to be asserted as valid, the TTL of the  
keys, and whether this key applies to sub-domains must be exchanged  
prior to signing.

Policy designating a signing domain will not affect the integrity of  
the signing/key relationship.  Designation allows an email-address  
domain owner to independently decide whether their email-addresses  
should be asserted as valid when signed by a provider's specific  
domain.  Designation relationships can be safely established at any  
time in an autonomous fashion fully compatible with most email- 
service arrangements.  The minimal administration needed for  
designation permits scaling to a greater number of customers.   
Designation will increase the integrity of DKIM signed messages.

-Doug