[ietf-dkim] Third-party "authorization"
dotis at mail-abuse.org
Mon Oct 5 09:45:50 PDT 2009
On 10/5/09 8:54 AM, John Levine wrote:
>> Perhaps the appropriate answer might be an update or addendum to best
>> practices document or an informational document.
> Sure. What I've been hearing tells me that people need better DNS
> provisioning tools, not another wart in DKIM.
Creating a method to "authorize" mailing lists might represent such a
use without causing a wart to appear. Suggesting mailing lists arrange
selectors that perhaps use CNAME references arranged by authorizing
domains to point to their current public key, to then allow these
third-party domains to become indistinguishable from the domains
offering authorization represents an unsatisfactory and insecure
approach, and this should be seen as a wart.
Selector or key exchanges would also represent the coordinated
interaction between from two or more administrators, that will need to
be maintained as selectors or keys are updated.
There was a suggestion on par with ADSP that used a single query to
answer whether some party had been "authorized" to sign on behalf of the
domain. This approach scales to _any_ level without requiring
additional queries. This approach only requires a single administrator
to make the authorizations, without coordination with the signing domain
I would be happy to update the draft that gave an example how this might
be done. The suggestion that careful and routine coordination between
two or more domains, to accomplish what would appear to represent a
first party signature, overlooks the value of having a clear
"authorization" of a third-party signature. DKIM policies, in a similar
manner as that of ADSP, could be conveyed and likely offering actionable
information for a greater percentage of the grey area cases where this
policy information is most needed.
More information about the ietf-dkim