> On Apr 21, 2016, at 7:23 AM, Dave Crocker <dcroc...@bbiw.net> wrote: > > On 3/2/2016 1:35 AM, Stephen Farrell wrote: >> LURK is an IETF mailing list that's discussing developing a >> solution to the "offload TLS without giving the CDN my private >> key" problem. > > > The premise seems to be that there is a single private key. > > DKIM permits an arbitrary of private keys to be associated with the > domain name. So assigning one solely for use by a third-party -- and > deciding when to terminate it -- is convenient and carries no effect on > other uses.
I concur. All you have to do with DKIM is to make sure that the key associated with a given message is available, and having that be non-uniform is a feature of the base protocol. The private key is owned by the sending machinery -- potentially an edge MTA -- only. The cost of destroying a key (remember, they're keys, not certs) is only that the messages presently in-flight might not verify. Most of all, we planned for similar uses. Not CDNs in particular, but the reason DKIM talks about the "administrative domain" (Dave's term) is because we knew that CDNs and other people (heck, like outsourced email senders) would need to be able to have the ability to do whatever. Jon _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html