> -----Original Message----- > From: Murray S. Kucherawy [mailto:[email protected]] > Sent: Monday, September 13, 2010 3:32 PM > To: MH Michael Hammer (5304); McDowell, Brett > Cc: [email protected] > Subject: RE: [dkim-ops] BCP for authorizing third-parties ([...] was > subdomain vs. cousin domain) > > > -----Original Message----- > > From: MH Michael Hammer (5304) [mailto:[email protected]] > > Sent: Monday, September 13, 2010 12:27 PM > > To: Murray S. Kucherawy; McDowell, Brett > > Cc: [email protected] > > Subject: RE: [dkim-ops] BCP for authorizing third-parties ([...] was > > subdomain vs. cousin domain) > > > > Actually not quite true Murray. > > > > If I am signing for americangreetings.com and I delegate > > email.americangreetings.com to ExactTarget (a real example) and they > > are > > generating their own keys for email. and signing, that is a first party > > signature as far as the verifier is concerned (not 3rd party). > > > > It also doesn't integrate email. into the base domain of > > americangreetings.com from a verifier perspective. > > But I, as a verifier, can't tell that email.americangreetings.com is > actually a third party. It's just another domain to me. >
There is in fact a significant difference between handing your private key to a 3rd party and delegating a subdomain. While to you as a verifier, it may be just another domain, to myself as a sender and signer it is a significant difference in terms of management and control. > Things like TPA or DSAP attempt to make the delegation of authority > visible, but the ones that use DNS mechanisms like CNAME and NS don't do > so. You are correct. I forget that many in the mail community do not know how to use tools such as dig. _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
