> On Apr 21, 2016, at 7:23 AM, Dave Crocker <dcroc...@bbiw.net> wrote:
>
> On 3/2/2016 1:35 AM, Stephen Farrell wrote:
>> LURK is an IETF mailing list that's discussing developing a
>> solution to the "offload TLS without giving the CDN my private
>> key" problem.
>
>
> The premise seems to be that there is a single private key.
>
> DKIM permits an arbitrary of private keys to be associated with the
> domain name. So assigning one solely for use by a third-party -- and
> deciding when to terminate it -- is convenient and carries no effect on
> other uses.
I concur. All you have to do with DKIM is to make sure that the key associated
with a given message is available, and having that be non-uniform is a feature
of the base protocol. The private key is owned by the sending machinery --
potentially an edge MTA -- only. The cost of destroying a key (remember,
they're keys, not certs) is only that the messages presently in-flight might
not verify.
Most of all, we planned for similar uses. Not CDNs in particular, but the
reason DKIM talks about the "administrative domain" (Dave's term) is because we
knew that CDNs and other people (heck, like outsourced email senders) would
need to be able to have the ability to do whatever.
Jon
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
