Jim,
So if they use our mta's The signatures would in fact be from cox.com as
I don't believe there is a method to have us sign as foo.com as the
reverse lookup for foo.com wouldn't match where the mail is coming from,
unless I am missing a lot here.
Please explain,
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
bill(_dot_)oxley(_at_)cox(_dot_)com
-----Original Message-----
From: Jim Fenton [mailto:fenton(_at_)cisco(_dot_)com]
Sent: Thursday, April 13, 2006 6:42 PM
To: Oxley, Bill (CCI-Atlanta)
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] New issue: Signing by parent domains
Bill(_dot_)Oxley(_at_)cox(_dot_)com wrote:
As an ISP we route customer mail thru our mta's, we have business
customers that may use their own mta's. If a customer determines that
entity at foo.com wishes to use use bar.com's mta are you saying that
bar.com should not sign on foo.com's behalf? Will that no present a
problem with the reception of foo.com's mail down stream when dkim sigs
are expected everywhere? How do we resolve that?
Bill,
This is a different issue entirely. Currently, foo.com is automatically
entitled to sign for addresses in subdomains, e.g.,
user(_at_)sub(_dot_)foo(_dot_)com,
without any additional publication of keys. This doesn't affect the
ability of foo.com to delegate authority to sign messages to bar.com.
So as an ISP, your customers would have the choice of signing messages
themselves using their own MTAs, or allowing you to sign messages for
them by publishing public keys (selectors) in DNS which correspond to
private keys you hold. In any case, it's also OK for you to also apply
a signature as cox.com if you want, although for SSP purposes this would
be considered a "third party" signature since it isn't a signature on
behalf of the origination address.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html