> -----Original Message----- > From: MH Michael Hammer (5304) [mailto:[email protected]] > Sent: Monday, September 13, 2010 12:40 PM > To: Murray S. Kucherawy; McDowell, Brett > Cc: [email protected] > Subject: RE: [dkim-ops] BCP for authorizing third-parties ([...] was > subdomain vs. cousin domain) > > > But I, as a verifier, can't tell that email.americangreetings.com is > > actually a third party. It's just another domain to me. > > There is in fact a significant difference between handing your private > key to a 3rd party and delegating a subdomain. While to you as a > verifier, it may be just another domain, to myself as a sender and > signer it is a significant difference in terms of management and > control.
But don't signers need to have some idea of how the verifiers will handle the signatures when deciding how to do such delegations? Absent any document to follow like a BCP for verifiers, you're left to guess at whether a verifier will query the DNS further to figure out if it's a delegation to a third party or not, and then do enough of those to test all the possibilities. > > Things like TPA or DSAP attempt to make the delegation of authority > > visible, but the ones that use DNS mechanisms like CNAME and NS don't do > > so. > > You are correct. I forget that many in the mail community do not know > how to use tools such as dig. I wouldn't go that far, but I'm certain that most or all automated DKIM verifiers currently don't bother with any of that. _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
