-----Original Message-----
From: dkim-ops-bounces(_at_)mipassoc(_dot_)org
[mailto:dkim-ops-bounces(_at_)mipassoc(_dot_)org]
On Behalf Of McDowell, Brett
Sent: Monday, September 13, 2010 2:13 PM
To: Murray S. Kucherawy
Cc: dkim-ops(_at_)mipassoc(_dot_)org
Subject: [dkim-ops] BCP for authorizing third-parties ([...] was
subdomain
vs. cousin domain)
On Sep 13, 2010, at 2:27 AM, Murray S. Kucherawy wrote:
But Crocker's DKIM.ORG FAQ web page says:
"DKIM permits signing to be performed by authorized
third-parties."
[1]
[1] DKIM Frequently Asked Questions
http://www.dkim.org/info/dkim-faq.html#basics
How is this authorization done? How do you verify the
authorization?
The third party gives you a public key matching a private key they
wish
to use to sign mail as you, and you put it in your DNS. Then that
third
party can generate mail with signatures that have your "d=" by using
the
matching private key.
As a verifier, I confirm the authorization implicitly by noting that
your domain has a public key that works to verify signatures placed on
mail that appears to come from you. That means that, absent cache
poisoning or other attacks, you authorized use of that key pair by
putting
half of it in your DNS.
That's the third-party authorization that DKIM implicitly supports.
I
suspect, though, that you're looking for a mechanism by which X can
say
"d=Y with From: X is OK by us." Nothing officially supports that right
now.
I'm surprised to see this level of misunderstanding on this mail list
between experts in this space. Is there already a BCP from IETF
regarding
DKIM key management with/for 3rd-party senders? If not IETF, anywhere
else? If not, we probably should put one together.
-- Brett
There is actually another approach besides what you indicate above. A
domain can delegate a domain or subdomain to the 3rd party and let them
generate the keys and signature.
Mike
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops