ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] New issue: Signing by parent domains

2006-04-13 15:53:10
Bill(_dot_)Oxley(_at_)cox(_dot_)com wrote:
As an ISP we route customer mail thru our mta's, we have business customers 
that may use their own mta's. If a customer determines that entity at foo.com 
wishes to use use bar.com's mta are you saying that bar.com should not sign 
on foo.com's behalf? Will that no present a problem with the reception of 
foo.com's mail down stream when dkim sigs are expected everywhere? How do we 
resolve that?
  
Bill,

This is a different issue entirely.  Currently, foo.com is automatically
entitled to sign for addresses in subdomains, e.g., 
user(_at_)sub(_dot_)foo(_dot_)com,
without any additional publication of keys.  This doesn't affect the
ability of foo.com to delegate authority to sign messages to bar.com.

So as an ISP, your customers would have the choice of signing messages
themselves using their own MTAs, or allowing you to sign messages for
them by publishing public keys (selectors) in DNS which correspond to
private keys you hold.  In any case, it's also OK for you to also apply
a signature as cox.com if you want, although for SSP purposes this would
be considered a "third party" signature since it isn't a signature on
behalf of the origination address.

-Jim
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html