On 9/12/10 11:27 PM, Murray S. Kucherawy wrote: >> On Sunday, September 12, 2010 10:10 AM,Hector Santos Wrote: >> But Crocker's DKIM.ORG FAQ web page says: >> >> "DKIM permits signing to be performed by authorized third-parties." >> [1] >> >> [1] DKIM Frequently Asked Questions >> http://www.dkim.org/info/dkim-faq.html#basics >> >> How is this authorization done? How do you verify the authorization? > The third party gives you a public key matching a private key they wish to > use to sign mail as you, and you put it in your DNS. Then that third party > can generate mail with signatures that have your "d=" by using the matching > private key. Giving third-parties private cryptographic keys for your domain so they can then send messages that will appear signed by your domain without your review is risky since it does _not_ convey authorization has been granted. > As a verifier, I confirm the authorization implicitly by noting that your > domain has a public key that works to verify signatures placed on mail that > appears to come from you. That means that, absent cache poisoning or other > attacks, you authorized use of that key pair by putting half of it in your > DNS. The verifier is only able to determine that the signature was valid, however distributing private cryptographic keys will not convey that the message came from an unidentified third-party. In addition, this method is impractical for dealing with issues that are now causing delivery problems. Distributing private keys to mailing-lists by domains that see a need to have restrictive policies would be extremely unwise, and not something able to scale. > That's the third-party authorization that DKIM implicitly supports. I > suspect, though, that you're looking for a mechanism by which X can say "d=Y > with From: X is OK by us." Nothing officially supports that right now. Indicating _any_ type of authorization by name does not currently exist. Rather than a verifiable note that indicates X is allowed to drive your car, this would be giving them a mask and your drivers license to have everyone believing it was you driving. Not such a great idea when things go wrong. wrong. wrong.
-Doug _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
