Murray S. Kucherawy wrote:
As a verifier, I confirm the authorization implicitly by noting
that your domain has a public key that works to verify signatures placed
on mail that appears to come from you. That means that, absent cache
poisoning or other attacks, you authorized use of that key pair by
putting half of it in your DNS.
That's the third-party authorization that DKIM implicitly supports.
I suspect, though, that you're looking for a mechanism by which X can
say "d=Y with From: X is OK by us." Nothing officially supports that
right now.
Is this FUD? <g>
Dunno... does it frighten you?
Frighten?
No Murray. But perhaps someone should be because the responsibility is
now once again shifted from the passive 3rd party signer back to the
visible 1st party 8222.From equal d= domain transaction. As far as
the potential millions of potential receivers are concern, the Author
Domain is once again responsible for signing the message.
Worst, when the signature fails, the wrong domain brand and unknown
reputation scoring across receivers is negatively hurt.
Ironically, with my DKIM work of late I've been working with a major
customer who are doing this public key provisioning by an "authorized"
3rd party signing service to blast spam to a few million subscribers.
We will be gathering information this week to find out why the
signature fails. The body hash seems fine though, but not the
signature. It appears no one really has done any real confirmation on
verification outside the yahoo distribution - the main reason the
customer went with this 3PS vendor.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops