On Sat, Feb 21, 2009 at 10:45:34AM +1200, Franck Martin wrote:
Any way to tell someone its signature is used in third party signing?
I've been working on something to do just that. Or at least a way to
say such signatures are allowed. My understanding of a "third party"
signature is an authenticated domain that doesn't match RFC 5322.From.
It always bothered me that some may treat 1st party signatures (where
the authenticated domain does match RFC 5322.From) as more trustworthy
than 3rd party signatures. Personally I think that there is no need to
treat 1st and 3rd differently.
So, I've come up with this way to see if the "3rd party" is blessed by
the "1st party":
1) query for the authenticated domain against the 1st party's domain
record using the "Vouch by Reference" protocol.
2) if the domain is listed, then the "3rd party" domain shouldn't be
considered as such.
Here's a hopefully obvious example:
From: joe(_at_)aim(_dot_)com
DKIM-Signature: ... d=aol.com ...
querying for aol.com in aim.com's domain space (via VBR) would return a
result.
We have a rough spec here:
http://mipassoc.org/affil/specs/draft-macdonald-affiliated-nameslist-00-04dc.html
Today we use VBR, but my co-author and I are thinking that we'd
probably wouldn't even need that once things are ironed out.
--
Jeff Macdonald
jmacdonald(_at_)e-dialog(_dot_)com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html