On Jan 23, 2008, at 1:07 PM, Hector Santos wrote:
There were various proposals which allowed a receiver to lookup the
SSP and determine which 3rd party domains where allowed to sign on
its behalf.
However, I believe, the concern was that it did not scale well,
i.e., how large can be 3PS list be in the SSP record?
Hector,
Please review the SSP extension for third-party authorization:
http://tools.ietf.org/wg/dkim/draft-otis-dkim-tpa-ssp-02.txt
The TPA-SSP technique easily scales and can include _every_ major
legitimate MTA known to exist within the entire world! Confirmation
of authorization requires a single small DNS transaction. This
technique can resolve DSN issues for third-party domains as well.
TPA-SSP offers a significant security improvement over other
delegation techniques. Provider MTAs would not need to warehouse
their customer's private keys, accept the delegation of their
customer's domain, or maintain CNAME relationships with published keys
in conjunction with the use of different selectors. Management of TPA-
SSP authorizations can be handled autonomously as well without
impacting the normal operation of the MTA.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html