Dave Crocker wrote:
In other words, I suggested that use of classic DNS sub-domains provides the
delegation features that cover the interesting cases for DKIM.
I continue to be unclear what is superior about having SSP invent a new
mechanism that creates security problems and additional administrative overhead.
Naively, I think there are some cases where the NS delegation mechanism
leaves
something to be desired and hence the desire to have a more passive
arrangement
between the domain holder and the signer. What I think we're finding is
that there's
no free lunch and that the seemingly desirable passive mode suffers
from unacceptable
security problems. If it turns out that the passive mode of delegation
is in fact active
after all (ie, requires agreement between domain holder/signer), then
the requirement
should be dropped since you're exactly right: we already have a means to
do that.
I think we're pretty much there, IMO. I'll let Stephen and Barry call
that though.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html