> -----Original Message----- > From: [email protected] [mailto:dkim-ops- > [email protected]] On Behalf Of Hector Santos > Sent: Sunday, September 12, 2010 10:10 AM > To: [email protected] > Cc: [email protected] > Subject: Re: [dkim-ops] hammering with a soldering iron, was subdomain > vs. cousin domain > > But Crocker's DKIM.ORG FAQ web page says: > > "DKIM permits signing to be performed by authorized third-parties." > [1] > > [1] DKIM Frequently Asked Questions > http://www.dkim.org/info/dkim-faq.html#basics > > How is this authorization done? How do you verify the authorization?
The third party gives you a public key matching a private key they wish to use to sign mail as you, and you put it in your DNS. Then that third party can generate mail with signatures that have your "d=" by using the matching private key. As a verifier, I confirm the authorization implicitly by noting that your domain has a public key that works to verify signatures placed on mail that appears to come from you. That means that, absent cache poisoning or other attacks, you authorized use of that key pair by putting half of it in your DNS. That's the third-party authorization that DKIM implicitly supports. I suspect, though, that you're looking for a mechanism by which X can say "d=Y with From: X is OK by us." Nothing officially supports that right now. > Is this FUD? <g> Dunno... does it frighten you? -MSK _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
