Doug,
The language you're suggesting here sounds like it's suggesting a design
(use of Designated Signing Domains) rather than a requirement (ability
to delegate signing authority). I'd prefer to see something much more
general, i.e. that it be possible to delegate signing authority under
the following constraints (...).
-Jim
Douglas Otis wrote:
2. Definitions
Add:
o Designated Signing Domain: A designated signing domain may be either
a valid first or third party signature that has been referenced
by an email-address policy. This domain is not required to directly
correspond to some originating email-address domain.
4.6. Scenario 6: Designated Signing Domain
Many domains do not run their own mail infrastructure, or may
outsource parts of it to third parties. It is desirable for a domain
holder to have an ability designate that other entities sign for the
domain holder with the equivalent of a first party signature. One
obvious use scenario is a domain holder for a small domain that needs
to have the ability for their outgoing ISP to sign mail on behalf of
this email-address domain holder. As with outsourced first party
signing, other use scenarios include outsourced bulk mail for
marketing campaigns, as well as outsourcing various business functions
such as insurance benefits, etc.
This mode of operation offers two significant advantages over delegating
part of a DNS zone, or the routine sharing of key information. One is
that the ISP receives DKIM abuse reports. The other is the
administration of this assignment can be done autonomously. The
alternatives require coordination with possibly three different
entities.
As with outsourced first party signing, the provider must be considered
trustworthy and held in high esteem by the domain owner. The ISP does
not select a key referenced from a domain controlled by each customer.
Instead the provider ensures only validated email-address are signed by
a "clean" domain intended to be suitable for the purpose of being
designated in their customer's DKIM 2822.From and 2821.Mail-From
policies.
With this "designated" mode of operation, a provider improves upon the
acceptance of their messages when the "clean" domain is certified as
only sending messages with validated email-addresses. This benefit
does not require that their customers designate this domain, but such
designation would be an affirmation of the provider's stewardship.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html