I'm OK with it as long as it's clear this is only done for the purposes of
getting finer-grained keys and we're not shifting away from transit
validation.
this is one of the reasons i think it is GOOD to defer human interface issues,
with a focus on this validation being consumed by a filtering mechanism,
rather than the recipient user, directly.
OTOH, could DNS scaling issues possibly be lurking nearby?
a number of folks keep raising this concern, but no one has yet produced a
serious analysis that says the problem is serious.
note that the signer can use any number of sub-domains and therefore split the
query traffic. this is yet-another benefit of having the signing ID be
separated from From and Sender.
d/
---
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker a t ...
WE'VE MOVED to: www.bbiw.net