dkim-ops
[Top] [All Lists]

Re: [dkim-ops] hammering with a soldering iron, was subdomain vs. cousin domain

2010-09-13 12:02:26
Murray S. Kucherawy wrote:

As a verifier, I confirm the authorization implicitly by noting 
that your domain has a public key that works to verify signatures placed 
on mail that appears to come from you.  That means that, absent cache 
poisoning or other attacks, you authorized use of that key pair by 
putting half of it in your DNS.

That's the third-party authorization that DKIM implicitly supports.  
I suspect, though, that you're looking for a mechanism by which X can 
say "d=Y with From: X is OK by us."  Nothing officially supports that 
right now.

Is this FUD? <g>

Dunno... does it frighten you?

Frighten?

No Murray. But perhaps someone should be because the responsibility is 
now once again shifted from the passive 3rd party signer back to the 
visible 1st party 8222.From equal d= domain transaction.  As far as 
the potential millions of potential receivers are concern, the Author 
Domain is once again responsible for signing the message.

Worst, when the signature fails, the wrong domain brand and unknown 
reputation scoring across receivers is negatively hurt.

Ironically, with my DKIM work of late I've been working with a major 
customer who are doing this public key provisioning by an "authorized" 
3rd party signing service to blast spam to a few million subscribers.

We will be gathering information this week to find out why the 
signature fails. The body hash seems fine though, but not the 
signature.  It appears no one really has done any real confirmation on 
verification outside the yahoo distribution - the main reason the 
customer went with this 3PS vendor.

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com



_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops

<Prev in Thread] Current Thread [Next in Thread>