On Wednesday 26 July 2006 11:03, Arvel Hathcock wrote:
I think we've got a winner here -- and deliverable within a reasonable
time frame -- if we can keep the core requirements to a minimum.
As we think through the definition of minimum, I think it important that we
consider the class of domains that are not supported by one or more dedicated
mail servers. Domains that send through shared servers are a large fraction
of the domains in existence (although no doubt a much smaller fraction of
e-mail being sent).
Is the concept of operations that these servers should sign using the
provider's key (so all signatures for the domain are 3rd party) or that the
provider should manage multiple keys to support per domain keys and sign the
messages first party for the domain?
When one says 'signs all messages' does that mean first party signatures or
any signature? Announcing that all messages are signed, but may be signed by
anybody, is trivially spoofable.
I understand and agree that we need to keep this to a minimum set of
functionality to produce something useful, I believe that there is a
irreduceable amount of complexity we need to consider. I think it's better
to work through it now and produce a simpler policy protocol.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html