ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] New issue: ssp-requirements-01 // Designated Signing Domain Scenario missing

2006-09-20 23:28:20
from [Jim Fenton] [Permanent Link] 
Doug,

The language you're suggesting here sounds like it's suggesting a design
(use of Designated Signing Domains) rather than a requirement (ability
to delegate signing authority).  I'd prefer to see something much more
general, i.e. that it be possible to delegate signing authority under
the following constraints (...).

-Jim

Douglas Otis wrote:

2.  Definitions

Add:

o  Designated Signing Domain: A designated signing domain may be either
   a valid first or third party signature that has been referenced
   by an email-address policy.  This domain is not required to directly
   correspond to some originating email-address domain.


4.6.  Scenario 6: Designated Signing Domain

Many domains do not run their own mail infrastructure, or may
outsource parts of it to third parties.  It is desirable for a domain
holder to have an ability designate that other entities sign for the
domain holder with the equivalent of a first party signature.  One
obvious use scenario is a domain holder for a small domain that needs
to have the ability for their outgoing ISP to sign mail on behalf of
this email-address domain holder.  As with outsourced first party
signing, other use scenarios include outsourced bulk mail for
marketing campaigns, as well as outsourcing various business functions
such as insurance benefits, etc.

This mode of operation offers two significant advantages over delegating
part of a DNS zone, or the routine sharing of key information.  One is
that the ISP receives DKIM abuse reports.  The other is the
administration of this assignment can be done autonomously.  The
alternatives require coordination with possibly three different
entities.

As with outsourced first party signing, the provider must be considered
trustworthy and held in high esteem by the domain owner.  The ISP does
not select a key referenced from a domain controlled by each customer.
Instead the provider ensures only validated email-address are signed by
a "clean" domain intended to be suitable for the purpose of being
designated in their customer's DKIM 2822.From and 2821.Mail-From
policies.

With this "designated" mode of operation, a provider improves upon the
acceptance of their messages when the "clean" domain is certified as
only sending messages with validated email-addresses.  This benefit
does not require that their customers designate this domain, but such
designation would be an affirmation of the provider's stewardship.


-Doug

_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: [ietf-dkim] New issue: ssp-requirements-01 // Designated Signing Domain Scenario missing, Jim Fenton <=
Previous by Date:  Re: [ietf-dkim] New issue: What is the purpose of SSP? {3.5}, Jim Fenton
Next by Date:  [ietf-dkim] Re: New Issue: Problems with Scenario 4: Resent, Frank Ellermann
Previous by Thread:  Re: [ietf-dkim] New Issue: ssp-requirements-01 // DKIM Strict definition needed., Jim Fenton
Next by Thread:  [ietf-dkim] Re: New Issue: ssp-requirements-01 // Negative Commentary corrections, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]