Keith, Keith Moore wrote:
I'm comfortable with having a domain's "root public keys" stored in DNS but allowing the corresponding "root private keys" to sign key certificates for "individual public keys" that can be included in DKIM-signed messages. The policies for use of those public keys can then be encoded in the certificates, allowing those policies to be specified on a per-user basis. This gets out of the trap of having to specify policy on a per-domain basis, and doesn't require any more DNS queries than current DKIM. IMHO it would make DKIM much more flexible and adaptable to diverse domain situations (and thereby much more acceptable as a standard) than the current proposal.
If there were an I-D describing such a protocol, I'd be interested in reading it - is there one? Stephen. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf