On Sep 20, 2006, at 11:10 PM, Jim Fenton wrote:
The language you're suggesting here sounds like it's suggesting a
design (use of Designated Signing Domains) rather than a
requirement (ability to delegate signing authority). I'd prefer to
see something much more general, i.e. that it be possible to
delegate signing authority under the following constraints (...).
One of the goals in adding this section, or having this document, is
to develop clear and succinct terminology.
Does this look better?
-------------------------
2. Definitions
Add:
o DKIM Delegation: Delegating to a different domain, through DNS zone
delegation or key sharing, where this different domain transparently
signs as the delegating domain.
o Designated Signing Domain: Designating a different domain, through
an email-address policy reference of the different domain, where the
different domain's signature is then considered equivalent to that
of the delegating domain for the purpose of evaluation other policy
state assertions.
4.6. Scenario 6: Designated Signing Domain
Many domains do not run their own mail infrastructure, or may
outsource parts of it to third parties. It is desirable for a domain
holder to have an ability simply designate that other entities sign
for them as being equivalent to a first party signature for the
purpose of evaluating other policy assertions.
One obvious use scenario is a domain holder for a small domain that
wishes to allow their outgoing ISP to sign mail on their behalf. As
with outsourced first party signing, other use scenarios include
outsourced bulk mail for marketing campaigns, as well as outsourcing
various business functions such as insurance benefits, etc.
As with outsourced first party signing, the provider of the designated
domain must be considered trustworthy and held in high esteem by the
designating domain. The ISP does not select a key referenced from
a domain controlled by a customer. Instead the provider may ensure
only validated email-address are signed by a "clean" domain intended
to be suitable for the purpose of being designated in their customer's
DKIM policies as offering valid email-addresses.
DKIM policies should be able to designate a different domain without
also asserting that an email-addresses contained within the messages
have been validated. This would be roughly equivalent to a signature
lacking the 'i=' parameter.
The ISP is assured better protection of their IP addresses by receiving
DKIM related abuse reports. Control of semantics regarding the validity
of email-address is retained by domain owner.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
