-----Original Message-----
From: dkim-ops-bounces(_at_)mipassoc(_dot_)org [mailto:dkim-ops-
bounces(_at_)mipassoc(_dot_)org] On Behalf Of Hector Santos
Sent: Sunday, September 12, 2010 10:10 AM
To: dkim-ops(_at_)mipassoc(_dot_)org
Cc: dkim-ops(_at_)mipassoc(_dot_)org
Subject: Re: [dkim-ops] hammering with a soldering iron, was subdomain
vs. cousin domain
But Crocker's DKIM.ORG FAQ web page says:
"DKIM permits signing to be performed by authorized third-parties."
[1]
[1] DKIM Frequently Asked Questions
http://www.dkim.org/info/dkim-faq.html#basics
How is this authorization done? How do you verify the authorization?
The third party gives you a public key matching a private key they wish to use
to sign mail as you, and you put it in your DNS. Then that third party can
generate mail with signatures that have your "d=" by using the matching private
key.
As a verifier, I confirm the authorization implicitly by noting that your
domain has a public key that works to verify signatures placed on mail that
appears to come from you. That means that, absent cache poisoning or other
attacks, you authorized use of that key pair by putting half of it in your DNS.
That's the third-party authorization that DKIM implicitly supports. I suspect,
though, that you're looking for a mechanism by which X can say "d=Y with From:
X is OK by us." Nothing officially supports that right now.
Is this FUD? <g>
Dunno... does it frighten you?
-MSK
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops