Orbitz might not care about the security issues raised by allowing doubleclick to sign messages on behalf of their CEO and other executives. Many others will.
This is a security area spec, least privilege must apply wherever possible. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John L > Sent: Tuesday, August 29, 2006 6:18 PM > To: DKIM List > Subject: [ietf-dkim] Delegated signatures in real life > > Here's the headers from a message that Doubleclick just sent > to my Yahoo account on behalf of Orbitz. Note that the From: > address and DK signature are in email.orbitz.com, even though > it was sent by Doubleclick from a Doubleclick IP. Yahoo > thoughfully displayed a little now saying that the DK > signature was good when I looked at the message. I also > include the key record, retrieved from Doubleclick's name servers. > > Senders already use NS delegation to let third parties put on > first party DK signatures. It works. It's popular. There > is no need to invent another way to solve this solved problem. > > Regards, > John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The > Internet for Dummies", Information Superhighwayman wanna-be, > http://www.johnlevine.com, Mayor "More Wiener schnitzel, > please", said Tom, revealingly. > > > X-Apparently-To: [EMAIL PROTECTED] via 206.190.38.154; Tue, > 29 Aug 2006 07:42:48 -0700 > X-Originating-IP: [198.31.62.19] > Authentication-Results: mta162.mail.mud.yahoo.com > from=email.orbitz.com; domainkeys=pass (ok) > Received: from 198.31.62.19 (EHLO mta.email.orbitz.com) > (198.31.62.19) > by mta162.mail.mud.yahoo.com with SMTP; Tue, 29 Aug 2006 > 07:40:52 -0700 > DomainKey-Signature: s=dk; d=email.orbitz.com; c=nofws; > q=dns; > b=nUvGhBPdC8bKVo8E/nLbHWcPJE7mFu83ePkSkmcE91EYdNUb7Wl4emekvK3t > kHzRCu1u94C7oWy5xX/HOjRBOkudiRdnWaTMkZmHypYllnuyUX71y7WhkeojckSbInn6; > Date: Tue, 29 Aug 2006 10:40:32 -0400 (EDT) > From: "Orbitz"<[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Joe, Sale Ending & Rochester Flights from $142 r/t > MIME-Version: 1.0 > Content-Type: text/html; charset="us-ascii" > Content-Transfer-Encoding: 7bit > Content-Length: 6278 > > (look for the key record) > > $ dig dk._domainkey.email.orbitz.com txt > > ; <<>> DiG 9.3.1 <<>> dk._domainkey.email.orbitz.com txt ;; > global options: printcmd ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23293 ;; > flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;dk._domainkey.email.orbitz.com. IN TXT > > ;; ANSWER SECTION: > dk._domainkey.email.orbitz.com. 21600 IN TXT > "p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALdLXrYpY2RRUPHr6ph9jVnrFAY > vyNjEgGVRmxjiu2EUBEyQDKFOSiDzS00xN/HaIt5IknLJumgu/YdaHhHAgsnnO > RUV1JwDcOZ3Xo3Iz9cT3ojg4us6SpQhl01dVGS6dwIDAQAB\;" > > > _______________________________________________ > NOTE WELL: This list operates according to > http://mipassoc.org/dkim/ietf-list-rules.html > > _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
