Stephen Farrell wrote:
But if the delegator delegated its private key, or if the signer
supplied its public key to the delegator, then the buck might get
moved between them (from their, and not the verifier, perspective),
depending on the details of how the key delegation happened.
For example, if there is >1 copy of the private key, then, in
buck passing terms, we just don't know which signer signed.
The buck stops with the d= string.
How that string is administered is not a matter for public analysis.
You appear to be introducing an expectation that a validator is supposed to be
able to know exactly which entity, within the ADMD of the signing domain,
actually performed the signing action.
Since that is not something DKIM is designed to provide, per se, where does this
expectation come from?
NOTE WELL: This list operates according to