dkim-ops
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [dkim-ops] hammering with a soldering iron, was subdomain vs. cousin domain

2010-09-13 11:48:37
from [Douglas Otis] [Permanent Link] 
  On 9/12/10 11:27 PM, Murray S. Kucherawy wrote:

On Sunday, September 12, 2010 10:10 AM,Hector Santos Wrote:
But Crocker's DKIM.ORG FAQ web page says:

    "DKIM permits signing to be performed by authorized third-parties."
[1]

[1]  DKIM Frequently Asked Questions
       http://www.dkim.org/info/dkim-faq.html#basics

How is this authorization done?  How do you verify the authorization?

The third party gives you a public key matching a private key they wish to 
use to sign mail as you, and you put it in your DNS.  Then that third party 
can generate mail with signatures that have your "d=" by using the matching 
private key.

Giving third-parties private cryptographic keys for your domain so they 
can then send messages that will appear signed by your domain without 
your review is risky since it does _not_ convey authorization has been 
granted.

As a verifier, I confirm the authorization implicitly by noting that your 
domain has a public key that works to verify signatures placed on mail that 
appears to come from you.  That means that, absent cache poisoning or other 
attacks, you authorized use of that key pair by putting half of it in your 
DNS.

The verifier is only able to determine that the signature was valid, 
however distributing private cryptographic keys will not convey that the 
message came from an unidentified third-party.  In addition, this method 
is impractical for dealing with issues that are now causing delivery 
problems.  Distributing private keys to mailing-lists by domains that 
see a need to have restrictive policies would be extremely unwise, and 
not something able to scale.

That's the third-party authorization that DKIM implicitly supports.  I 
suspect, though, that you're looking for a mechanism by which X can say "d=Y 
with From: X is OK by us."  Nothing officially supports that right now.

Indicating _any_ type of authorization by name does not currently 
exist.  Rather than a verifiable note that indicates X is allowed to 
drive your car, this would be giving them a mask and your drivers 
license to have everyone believing it was you driving.  Not such a great 
idea when things go wrong. wrong. wrong.

-Doug

_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [dkim-ops] hammering with a soldering iron, was subdomain vs. cousin domain, Murray S. Kucherawy
Next by Date:  Re: [dkim-ops] subdomain vs. cousin domain (when deploying"discardable"), Derek Diget
Previous by Thread:  Re: [dkim-ops] hammering with a soldering iron, was subdomain vs. cousin domain, Murray S. Kucherawy
Next by Thread:  Re: [dkim-ops] hammering with a soldering iron, was subdomain vs. cousin domain, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]