[ietf-dkim] A proposal for restructuring SSP

[Wietse Venema]

Bill.Oxley at cox.com:
> business customers who have no clue on how to manage DNS or do
> DKIM which rather slows adoption rates. Without this the only
> people doing DKIM will be the spammers (most of my currently signed
> mail is from spammers) and large phished entities like paypal.
> Now since I have a speaking relationship with paypal I dont need
> to use SSP for them.

Bill, 

While time leaks away in disgreements on even simple things, may
I show an example how one DKIM private key could be used to provide
valid first-party signatures for multiple domains.

- Implement DNS DKIM records as CNAMEs to records that are shared
  by multiple domains, instead of giving each domain its own.  You
  could share the same record with all domains, but don't have to.

- Store the private key's NAME in the n= field of the real DKIM
  records, so the signing software can figure out which private key
  to use.  Or find some other way to clue in the signing software.

- Sign with d=customerdomain, instead of d=providerdomain.

By signing with a first-party signature, the verifier's job simplifies
greatly. But doing so also isolates that domain's DKIM reputation
from the DKIM reputations of other domains, for better or worse.

	Wietse