RE: [ietf-dkim] Delegation semantics

This is rather different, in fact it is essentially being done for the same 
purpose the example I gave.

The point I was trying to make here is that if I delegate any part of my DKIM 
key record space to your system you now have the ability to produce email 
messages that authenticate as coming from me.

Regardless of any statement that might appear in the DKIM spec I can't see my 
CISO accepting a situation where I delegate to a third party the ability to 
sign on behalf of my CEO. You can claim that the signature is not transactional 
as much as you like, I don't think such a statement would be supportable.


We could continue to go the NS record route but why tell people to use a 
mechanism that has serious security problems, does not expose the desired 
information, does not provide as much control, is vastly more complex and 
requires use of very powerful DNS constructs?

I think that the presumption here should be against use of mechanisms like NS 
or CNAME if the use case is adopted unless it can be shown that there is no 
other way to achieve the outcome.

> -----Original Message-----
> From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org 
> [mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of 
> Bill(_dot_)Oxley(_at_)cox(_dot_)com
> Sent: Tuesday, August 29, 2006 12:46 PM
> To: ietf-dkim(_at_)mipassoc(_dot_)org
> Subject: RE: [ietf-dkim] Delegation semantics
>
> http://www.mxlogic.com/emaildefense/comprehensive_protection.h
> tml?GCID=S
> 16104x002&KEYWORD=mx%20logic
> these folks make a living by using delegated namespace.
> Thanks,
>
> Bill Oxley
> Messaging Engineer
> Cox Communications, Inc. 
> Alpharetta GA
> 404-847-6397
> bill(_dot_)oxley(_at_)cox(_dot_)com 
>
>
> -----Original Message-----
> From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
> [mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of John Levine
> Sent: Tuesday, August 29, 2006 12:30 PM
> To: ietf-dkim(_at_)mipassoc(_dot_)org
> Subject: Re: [ietf-dkim] Delegation semantics
>
> > I think that the NS suggestion is a bad one for policy reasons. I am 
> > never going to delegate any part of my DNS. Space to a third 
> party and 
> > I don't think anyone else is likely to either.
> Mailers routinely delegate subdomains to their ESPs right now.  For
> example:
>
> $ dig email.orbitz.com ns
>
> ; <<>> DiG 9.3.1 <<>> email.orbitz.com ns ;; global options:  
> printcmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49736 ;; 
> flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;email.orbitz.com.              IN      NS
>
> ;; ANSWER SECTION:
> email.orbitz.com.       16536   IN      NS
> bb1dns1.edc.dartmail.net.
> email.orbitz.com.       16536   IN      NS
> bb1dns2.ddc.dartmail.net.
> email.orbitz.com.       16536   IN      NS
> bb1dns3.ddc.dartmail.net.
> email.orbitz.com.       16536   IN      NS
> bb1dns1.ddc.dartmail.net.
>
> R's,
> John
> _______________________________________________
> NOTE WELL: This list operates according to 
> http://mipassoc.org/dkim/ietf-list-rules.html
>
> _______________________________________________
> NOTE WELL: This list operates according to 
> http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html