On Sep 13, 2010, at 2:27 AM, Murray S. Kucherawy wrote:
But Crocker's DKIM.ORG FAQ web page says:
"DKIM permits signing to be performed by authorized third-parties."
[1]
[1] DKIM Frequently Asked Questions
http://www.dkim.org/info/dkim-faq.html#basics
How is this authorization done? How do you verify the authorization?
The third party gives you a public key matching a private key they wish to
use to sign mail as you, and you put it in your DNS. Then that third party
can generate mail with signatures that have your "d=" by using the matching
private key.
As a verifier, I confirm the authorization implicitly by noting that your
domain has a public key that works to verify signatures placed on mail that
appears to come from you. That means that, absent cache poisoning or other
attacks, you authorized use of that key pair by putting half of it in your
DNS.
That's the third-party authorization that DKIM implicitly supports. I
suspect, though, that you're looking for a mechanism by which X can say "d=Y
with From: X is OK by us." Nothing officially supports that right now.
I'm surprised to see this level of misunderstanding on this mail list between
experts in this space. Is there already a BCP from IETF regarding DKIM key
management with/for 3rd-party senders? If not IETF, anywhere else? If not, we
probably should put one together.
-- Brett
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops