ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Underscore considerations

2006-06-09 15:08:42
I don't see this as a policy issue.  It really has to do with
determining whether a given signature is valid or invalid.  If the
signature is valid, and is a first party signature, we might not even
need to consult policy (depending on what direction the SSP discussion
takes, of course...).

-Jim


Stephen Farrell wrote:

Don't you very quickly run into policy considerations once you
start down that route? In your example, if I want the key to be
ok for foo.example.com during working hours and bar.example.com
for 24 hours.

So another approach would be to punt to ssp if this is a real
concern (and there are those arguing it isn't),

S.

Jim Fenton wrote:
Let me see if I understand Doug well enough to boil this down to a small
example:

Suppose benefits(_at_)example(_dot_)com is a outsourced benefits provider 
which
needs to sign messages in order to send them to clients at example.com
without making them look spoofed.  So the domain administrator of
benefits.com delegates the use of a keypair by publishing a key record
in _domainkey.example.com, with g=benefits.

This gives the holder of the private key the ability to sign messages
for benefits(_at_)asia(_dot_)example(_dot_)com, which might be a different 
provider, in
addition to the intended address.

I can see where this might not be desired.  The fix for this that I
would suggest would be to put something in the key record saying that
the key can't sign for subdomains.  Is this worth doing?

-Jim

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html