ietf-dkim
[Top] [All Lists]

RE: [ietf-dkim] New issue: Signing by parent domains

2006-04-13 06:24:38
On Thu, 2006-04-13 at 07:55 -0400, Bill(_dot_)Oxley(_at_)cox(_dot_)com wrote:

As an ISP we route customer mail thru our mta's, we have business
customers that may use their own mta's. If a customer determines that
entity at foo.com wishes to use use bar.com's mta are you saying that
bar.com should not sign on foo.com's behalf? Will that no present a
problem with the reception of foo.com's mail down stream when dkim
sigs are expected everywhere? How do we resolve that?

This is a different problem than being signed by a parent's domain.  The
risks associated with the parent domain problem extends to general
access to the parent's signing servers, and not whether their private
keys were compromised because of the issue you raise.

The signing-domain is not responsible for the use of the email-address
per the i= parameter, especially in the case of the parent domain.  The
i= parameter should not permit inclusion of a sub-domain.  This
_assumes_ per-user constraints where i= values are not simply obtained
from the message for administrative convenience to "improve" message
acceptance.
  
-Doug



_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html