dotis at mail-abuse.org
Wed Jan 23 14:48:18 PST 2008
On Jan 23, 2008, at 1:07 PM, Hector Santos wrote:
> There were various proposals which allowed a receiver to lookup the
> SSP and determine which 3rd party domains where allowed to sign on
> its behalf.
> However, I believe, the concern was that it did not scale well,
> i.e., how large can be 3PS list be in the SSP record?
Please review the SSP extension for third-party authorization:
The TPA-SSP technique easily scales and can include _every_ major
legitimate MTA known to exist within the entire world! Confirmation
of authorization requires a single small DNS transaction. This
technique can resolve DSN issues for third-party domains as well.
TPA-SSP offers a significant security improvement over other
delegation techniques. Provider MTAs would not need to warehouse
their customer's private keys, accept the delegation of their
customer's domain, or maintain CNAME relationships with published keys
in conjunction with the use of different selectors. Management of TPA-
SSP authorizations can be handled autonomously as well without
impacting the normal operation of the MTA.
More information about the ietf-dkim