MH Michael Hammer (5304) wrote:
In light of the comments by Bill Oxley and my belief that the ability of
a domain to designate signing by a specified 3rd party is useful, I'd
like to see this included in the update.
Such an addition is the equivalent of adding an access control list (ACL) to
DKIM. This was debated extensively before and the working group noted that an
adequate control mechanism already exists in DKIM: selectors.
At its core, this change seeks to have recipients enforce authorization to use
DKIM by an agent that is within the a "sender's" sphere of control. Even
though
the agent is an independent actor, they have an arrangement with the sender and
are therefore within their sphere of control. ACLs are a significant bit of
mechanism.
Rather than invent an entirely new mechanism that adds to the complexity of the
recipient's DKIM handling, the same level of useful information is imparted by
having the sender and signer coordinate so that the signer uses a selector for
a
domain (or sub-domain) of the sender.
This moves the work to (only) the folks who have the clear need and motivation,
and it requires no additional changes to DKIM.
However what this repetition of a resolved item does suggest is that we ought
to
generate a document that gives specific details for specific scenarios, beyond
what is already in the Deployment document:
<http://www.ietf.org/id/draft-ietf-dkim-deployment-08.txt>
Apparently, the detail in its sections 6.3 and 6.4 isn't sufficient.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html