-----Original Message-----
From: Murray S. Kucherawy [mailto:msk(_at_)cloudmark(_dot_)com]
Sent: Monday, September 13, 2010 3:32 PM
To: MH Michael Hammer (5304); McDowell, Brett
Cc: dkim-ops(_at_)mipassoc(_dot_)org
Subject: RE: [dkim-ops] BCP for authorizing third-parties ([...] was
subdomain vs. cousin domain)
-----Original Message-----
From: MH Michael Hammer (5304) [mailto:MHammer(_at_)ag(_dot_)com]
Sent: Monday, September 13, 2010 12:27 PM
To: Murray S. Kucherawy; McDowell, Brett
Cc: dkim-ops(_at_)mipassoc(_dot_)org
Subject: RE: [dkim-ops] BCP for authorizing third-parties ([...] was
subdomain vs. cousin domain)
Actually not quite true Murray.
If I am signing for americangreetings.com and I delegate
email.americangreetings.com to ExactTarget (a real example) and they
are
generating their own keys for email. and signing, that is a first
party
signature as far as the verifier is concerned (not 3rd party).
It also doesn't integrate email. into the base domain of
americangreetings.com from a verifier perspective.
But I, as a verifier, can't tell that email.americangreetings.com is
actually a third party. It's just another domain to me.
There is in fact a significant difference between handing your private
key to a 3rd party and delegating a subdomain. While to you as a
verifier, it may be just another domain, to myself as a sender and
signer it is a significant difference in terms of management and
control.
Things like TPA or DSAP attempt to make the delegation of authority
visible, but the ones that use DNS mechanisms like CNAME and NS don't
do
so.
You are correct. I forget that many in the mail community do not know
how to use tools such as dig.
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops