Scott Kitterman wrote: > Yes, but the fundamental operational problem will be to pick the correct > domain to sign with. You have to make that decision either way. The basis > upon which you make the decision is the same. I agree that the result LOOKS > less ambiguous with the NS delegation approach, but the fundamental security > issue is don't pick the wrong domain to sign with and that's no different. > When using the "authorized signing domains" approach, the signer uses its own domain name, not that of the domain doing the delegation. I don't see where there is a choice for the signer to make (which is also the source of the ambiguity).
-Jim _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html