dkim-ops
[Top] [All Lists]

Re: [dkim-ops] hammering with a soldering iron, was subdomain vs. cousin domain

2010-09-13 02:01:22
-----Original Message-----
From: dkim-ops-bounces(_at_)mipassoc(_dot_)org [mailto:dkim-ops-
bounces(_at_)mipassoc(_dot_)org] On Behalf Of Hector Santos
Sent: Sunday, September 12, 2010 10:10 AM
To: dkim-ops(_at_)mipassoc(_dot_)org
Cc: dkim-ops(_at_)mipassoc(_dot_)org
Subject: Re: [dkim-ops] hammering with a soldering iron, was subdomain
vs. cousin domain

But Crocker's DKIM.ORG FAQ web page says:

   "DKIM permits signing to be performed by authorized third-parties."
[1]

[1]  DKIM Frequently Asked Questions
      http://www.dkim.org/info/dkim-faq.html#basics

How is this authorization done?  How do you verify the authorization?

The third party gives you a public key matching a private key they wish to use 
to sign mail as you, and you put it in your DNS.  Then that third party can 
generate mail with signatures that have your "d=" by using the matching private 
key.

As a verifier, I confirm the authorization implicitly by noting that your 
domain has a public key that works to verify signatures placed on mail that 
appears to come from you.  That means that, absent cache poisoning or other 
attacks, you authorized use of that key pair by putting half of it in your DNS.

That's the third-party authorization that DKIM implicitly supports.  I suspect, 
though, that you're looking for a mechanism by which X can say "d=Y with From: 
X is OK by us."  Nothing officially supports that right now.

Is this FUD? <g>

Dunno... does it frighten you?

-MSK

_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops

<Prev in Thread] Current Thread [Next in Thread>