Scott Kitterman wrote:
What security problems are there with a list of authorized signing domains
that are not equally applicable to the the NS delegation/operator signs with
the author's domain approach? I'm unclear about that. Maybe we can help
each other out.
With key delegation (either with NS, or by publishing a TXT record with
a public key that the signing operator uses), the operator signs using
the author's (or more generally the delegator's) domain name, and can
use i= to specify that the signature corresponds to the author's
address. So it's possible to see that it's an author signature. With
authorized signing domains, the operator signs using its own domain
name, and no association with the specific signing address (either the
local-part, or specification of which delegated domain) is possible.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html