Murray S. Kucherawy wrote: > As a verifier, I confirm the authorization implicitly by noting > that your domain has a public key that works to verify signatures placed > on mail that appears to come from you. That means that, absent cache > poisoning or other attacks, you authorized use of that key pair by > putting half of it in your DNS. > > That's the third-party authorization that DKIM implicitly supports. > I suspect, though, that you're looking for a mechanism by which X can > say "d=Y with From: X is OK by us." Nothing officially supports that > right now. > >> Is this FUD? <g> > > Dunno... does it frighten you?
Frighten? No Murray. But perhaps someone should be because the responsibility is now once again shifted from the passive 3rd party signer back to the visible 1st party 8222.From equal d= domain transaction. As far as the potential millions of potential receivers are concern, the Author Domain is once again responsible for signing the message. Worst, when the signature fails, the wrong domain brand and unknown reputation scoring across receivers is negatively hurt. Ironically, with my DKIM work of late I've been working with a major customer who are doing this public key provisioning by an "authorized" 3rd party signing service to blast spam to a few million subscribers. We will be gathering information this week to find out why the signature fails. The body hash seems fine though, but not the signature. It appears no one really has done any real confirmation on verification outside the yahoo distribution - the main reason the customer went with this 3PS vendor. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
