On Sep 13, 2010, at 2:27 AM, Murray S. Kucherawy wrote: >> But Crocker's DKIM.ORG FAQ web page says: >> >> "DKIM permits signing to be performed by authorized third-parties." >> [1] >> >> [1] DKIM Frequently Asked Questions >> http://www.dkim.org/info/dkim-faq.html#basics >> >> How is this authorization done? How do you verify the authorization? > > The third party gives you a public key matching a private key they wish to > use to sign mail as you, and you put it in your DNS. Then that third party > can generate mail with signatures that have your "d=" by using the matching > private key. > > As a verifier, I confirm the authorization implicitly by noting that your > domain has a public key that works to verify signatures placed on mail that > appears to come from you. That means that, absent cache poisoning or other > attacks, you authorized use of that key pair by putting half of it in your > DNS. > > That's the third-party authorization that DKIM implicitly supports. I > suspect, though, that you're looking for a mechanism by which X can say "d=Y > with From: X is OK by us." Nothing officially supports that right now.
I'm surprised to see this level of misunderstanding on this mail list between experts in this space. Is there already a BCP from IETF regarding DKIM key management with/for 3rd-party senders? If not IETF, anywhere else? If not, we probably should put one together. -- Brett _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
