On 9/12/10 11:27 PM, Murray S. Kucherawy wrote:
On Sunday, September 12, 2010 10:10 AM,Hector Santos Wrote:
But Crocker's DKIM.ORG FAQ web page says:
"DKIM permits signing to be performed by authorized third-parties."
[1]
[1] DKIM Frequently Asked Questions
http://www.dkim.org/info/dkim-faq.html#basics
How is this authorization done? How do you verify the authorization?
The third party gives you a public key matching a private key they wish to
use to sign mail as you, and you put it in your DNS. Then that third party
can generate mail with signatures that have your "d=" by using the matching
private key.
Giving third-parties private cryptographic keys for your domain so they
can then send messages that will appear signed by your domain without
your review is risky since it does _not_ convey authorization has been
granted.
As a verifier, I confirm the authorization implicitly by noting that your
domain has a public key that works to verify signatures placed on mail that
appears to come from you. That means that, absent cache poisoning or other
attacks, you authorized use of that key pair by putting half of it in your
DNS.
The verifier is only able to determine that the signature was valid,
however distributing private cryptographic keys will not convey that the
message came from an unidentified third-party. In addition, this method
is impractical for dealing with issues that are now causing delivery
problems. Distributing private keys to mailing-lists by domains that
see a need to have restrictive policies would be extremely unwise, and
not something able to scale.
That's the third-party authorization that DKIM implicitly supports. I
suspect, though, that you're looking for a mechanism by which X can say "d=Y
with From: X is OK by us." Nothing officially supports that right now.
Indicating _any_ type of authorization by name does not currently
exist. Rather than a verifiable note that indicates X is allowed to
drive your car, this would be giving them a mask and your drivers
license to have everyone believing it was you driving. Not such a great
idea when things go wrong. wrong. wrong.
-Doug
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops