dkim-ops
[Top] [All Lists]

[dkim-ops] BCP for authorizing third-parties ([...] was subdomain vs. cousin domain)

2010-09-13 13:49:43
On Sep 13, 2010, at 2:27 AM, Murray S. Kucherawy wrote:

But Crocker's DKIM.ORG FAQ web page says:

  "DKIM permits signing to be performed by authorized third-parties."
[1]

[1]  DKIM Frequently Asked Questions
     http://www.dkim.org/info/dkim-faq.html#basics

How is this authorization done?  How do you verify the authorization?

The third party gives you a public key matching a private key they wish to 
use to sign mail as you, and you put it in your DNS.  Then that third party 
can generate mail with signatures that have your "d=" by using the matching 
private key.

As a verifier, I confirm the authorization implicitly by noting that your 
domain has a public key that works to verify signatures placed on mail that 
appears to come from you. That means that, absent cache poisoning or other 
attacks, you authorized use of that key pair by putting half of it in your 
DNS.

That's the third-party authorization that DKIM implicitly supports.  I 
suspect, though, that you're looking for a mechanism by which X can say "d=Y 
with From: X is OK by us." Nothing officially supports that right now.

I'm surprised to see this level of misunderstanding on this mail list between 
experts in this space.  Is there already a BCP from IETF regarding DKIM key 
management with/for 3rd-party senders?  If not IETF, anywhere else?  If not, we 
probably should put one together.

-- Brett
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops

<Prev in Thread] Current Thread [Next in Thread>