SigningTable (was: SigingTable)

From: SM <sm_at_resistor.net>
Date: Sun, 21 Feb 2010 15:49:19 -0800

Hi Murray,
At 13:17 21-02-10, Murray S. Kucherawy wrote:
>If you're using "refile", then the regular expression would match
>but the third value (the key data) is missing from the above example.
>
>For all other cases, the key "*_at_example.com" isn't one of the ones
>queried (see the SigningTable description in opendkim.conf.5.in),
>and it would be looking up "example.com:selector" in the KeyTable
>which probably isn't what you want.
>
>What you probably want is a SigningTable entry of "example.com"
>mapping to some key X (which covers all users in example.com), and
>then a KeyTable entry mapping X to "example.com:selector:keydata".

I guess that I do not understand how it works. Let's say I have a
domain example.com and I would like to use different private
keys/selectors for different groups of users. I have:

   sm_at_example.com
   msk_at_example.com

They will be signed with different selectors. I can decide to use
the same key or different keys for each entry. I'll add these two
entries to the SigningTable. Now, I need to point them to the
selector and the domain to use. Once that is done, I map the
selector and domain to a key in KeyTable.

If the mapping is derived from the key, I cannot do:

  selector1:example.com:key1
  selector2:example.com:key1

 From our previous discussion, I understood that it is the selector
and domain that determines what key to use. I could for example
change the above to:

  selector1:example.com:key1
  selector2:example.com:key2

Regards,
-sm
Received on Sun Feb 21 2010 - 23:49:47 PST