> -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of McDowell, Brett > Sent: Monday, September 13, 2010 2:13 PM > To: Murray S. Kucherawy > Cc: [email protected] > Subject: [dkim-ops] BCP for authorizing third-parties ([...] was subdomain > vs. cousin domain) > > On Sep 13, 2010, at 2:27 AM, Murray S. Kucherawy wrote: > > >> But Crocker's DKIM.ORG FAQ web page says: > >> > >> "DKIM permits signing to be performed by authorized third-parties." > >> [1] > >> > >> [1] DKIM Frequently Asked Questions > >> http://www.dkim.org/info/dkim-faq.html#basics > >> > >> How is this authorization done? How do you verify the authorization? > > > > The third party gives you a public key matching a private key they wish > to use to sign mail as you, and you put it in your DNS. Then that third > party can generate mail with signatures that have your "d=" by using the > matching private key. > > > > As a verifier, I confirm the authorization implicitly by noting that > your domain has a public key that works to verify signatures placed on > mail that appears to come from you. That means that, absent cache > poisoning or other attacks, you authorized use of that key pair by putting > half of it in your DNS. > > > > That's the third-party authorization that DKIM implicitly supports. I > suspect, though, that you're looking for a mechanism by which X can say > "d=Y with From: X is OK by us." Nothing officially supports that right > now. > > I'm surprised to see this level of misunderstanding on this mail list > between experts in this space. Is there already a BCP from IETF regarding > DKIM key management with/for 3rd-party senders? If not IETF, anywhere > else? If not, we probably should put one together. > > -- Brett
There is actually another approach besides what you indicate above. A domain can delegate a domain or subdomain to the 3rd party and let them generate the keys and signature. Mike _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
