Yes, this is correct and is the mechanism preventing an attacker from
spoofing your domain in the From header and signing with his own key thereby
possibly making the recipient assume you sent a signed message.
--
Arvel
----- Original Message -----
From: "James Scott" <james(_dot_)scott(_at_)liverton(_dot_)com>
To: "'Dave Crocker'" <dcrocker(_at_)bbiw(_dot_)net>; <arvel(_at_)altn(_dot_)com>;
<ietf-mailsig(_at_)imc(_dot_)org>
Sent: Wednesday, July 27, 2005 7:10 PM
Subject: RE: The cost of choices
Dave Crocker wrote:
that is, if i delegate arvel.bbiw.net to you, either it
validates under bbiw.net or it doesn't. it requires no
"policy" publication for others to query.
My understanding of the process from the drafts is that if a message from
an
"alleged sender" in domain arvel.bbiw.net was received containing a valid
dkim signature applied by a third party, then the signing policy of the
"alleged sender" needs to be checked to determine whether that sender
permits such third party signatures.