dkim-ops
[Top] [All Lists]

Re: [dkim-ops] subdomain vs. cousin domain (when deploying "discardable")

2010-09-09 17:03:25
John Levine wrote:
It certainly is an option, and it would certainly work.  But
personally, I reserve use of the words "best practice" for things that
have been shown to work better than all other options.  I don't know
that that's been measured yet.
Good point... I figured someone would say it :-)

The real problem is that we're all guessing.  If everyone followed the
rules for DKIM and ADSP, it wouldn't matter what domains you used,
since the specs make it quite clear that as far as DKIM is concerned,
there's no relation between one domain and another, even if one is a
subdomain of another. 

But here you are expressing an opinion not everyone agrees with now 
the 4871 specs say this. I don't endorse what 4871bis says about 
separating the association because its another engineering conflict 
and mistake.  As long as the DKIM binds the 5322.From as a signature 
requirement - not an option, it will always, by technical engineering 
design, be an association and relationship.  Yes, we all know you want 
to break that relationship hence all the policy conflicts. You just 
can't have software do one thing and use "words" to says it means 
nothing.  It doesn't work. It doesn't make sense and you will always 
have that thorn on the side.

If you want to break that signature bind, then remove the 4871 
requirement to hash the 5322.From header.  Only then will it make 
sense.  But I still think you will never break the ultimate 
association:  From::Message that everyone sees, regardless of who signs.

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com


_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops

<Prev in Thread] Current Thread [Next in Thread>