Keith Moore wrote:
I'm comfortable with having a domain's "root public keys" stored in DNS
but allowing the corresponding "root private keys" to sign key
certificates for "individual public keys" that can be included in
DKIM-signed messages. The policies for use of those public keys can
then be encoded in the certificates, allowing those policies to be
specified on a per-user basis. This gets out of the trap of having to
specify policy on a per-domain basis, and doesn't require any more DNS
queries than current DKIM. IMHO it would make DKIM much more flexible
and adaptable to diverse domain situations (and thereby much more
acceptable as a standard) than the current proposal.
If there were an I-D describing such a protocol, I'd be interested in
reading it - is there one?
Ietf mailing list