dkim-ops
[Top] [All Lists]

Re: [dkim-ops] BCP for authorizing third-parties ([...] was subdomain vs. cousin domain)

2010-09-13 16:44:49
-----Original Message-----
From: MH Michael Hammer (5304) [mailto:MHammer(_at_)ag(_dot_)com]
Sent: Monday, September 13, 2010 12:40 PM
To: Murray S. Kucherawy; McDowell, Brett
Cc: dkim-ops(_at_)mipassoc(_dot_)org
Subject: RE: [dkim-ops] BCP for authorizing third-parties ([...] was
subdomain vs. cousin domain)

But I, as a verifier, can't tell that email.americangreetings.com is
actually a third party.  It's just another domain to me.

There is in fact a significant difference between handing your private
key to a 3rd party and delegating a subdomain. While to you as a
verifier, it may be just another domain, to myself as a sender and
signer it is a significant difference in terms of management and
control.

But don't signers need to have some idea of how the verifiers will handle the 
signatures when deciding how to do such delegations?  Absent any document to 
follow like a BCP for verifiers, you're left to guess at whether a verifier 
will query the DNS further to figure out if it's a delegation to a third party 
or not, and then do enough of those to test all the possibilities.

Things like TPA or DSAP attempt to make the delegation of authority
visible, but the ones that use DNS mechanisms like CNAME and NS don't do
so.

You are correct. I forget that many in the mail community do not know
how to use tools such as dig.

I wouldn't go that far, but I'm certain that most or all automated DKIM 
verifiers currently don't bother with any of that.


_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops

<Prev in Thread] Current Thread [Next in Thread>