On Jul 26, 2006, at 11:14 AM, Michael Thomas wrote:
This is a really good instance of what the base level requirements
On the one hand we can say that the requirement is that an ISP signing
on behalf of a customer actually sign on behalf of the customer. That
is, the d=customer.com rather than d=isp.com.
What I see here is the desire to actually have d=isp.com with the
saying that that is ok. One downside of this is that you'd require
lookup because the From: address would still be customer.com, not
isp.com (ie, it looks like a third party). On the other hand, it
seem like it's a very big burden on the signing software to know what
domains it signs for, but I'm not as convinced about that from an
By combining a designated signing domain list with that of a rather
simply policy assertion, this does not involve an additional lookup.
The only policy lookup would be from the customer.com domain where
isp.com could be included within their designated signing domain
list, when that is required by the policy asserted. The policy could
also indicate whether the list is open-ended or closed. An empty
closed list would indicate only customer.com could produce a valid
signature for the OA.
NOTE WELL: This list operates according to