Could someone help me understand how AUID's are to be processed when there is
no i= provided in the DKIM signature per RFC 5672 (the DKIM update)?
It is clear that AUID's are optional.
But i= has a default value.
So, should the signature be processed as if the default value for the AUID (i=
value) were present or processed as if the AUID (i= value) wasn't even part of
the specification?
I'm asking the question because of this section related to restricting key
applicability across the namespace using t=s in the key record has a dependency
on the AUID in the signature:
Corrected Text:
...for example, a key record for the domain example.com can be
used to verify messages where the AUID ("i=" tag of the signature)
is sub.example.com, or even sub1.sub2.example.com. In order to
limit the capability of such keys when this is not intended, the
"s" flag MAY be set in the "t=" tag of the key record, to
constrain the validity of the domain of the AUID. If the
referenced key record contains the "s" flag as part of the "t="
tag, the domain of the AUID ("i=" flag) MUST be the same as that
of the SDID (d=) domain. If this flag is absent, the domain of
the AUID MUST be the same as, or a subdomain of, the SDID.
Thanks!
-- Brett
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops