dkim-ops
[Top] [All Lists]

[dkim-ops] RFC 5672 and optional vs. default value of AUID

2010-09-16 13:42:50
Could someone help me understand how AUID's are to be processed when there is 
no i= provided in the DKIM signature per RFC 5672 (the DKIM update)?  

It is clear that AUID's are optional.
But i= has a default value.

So, should the signature be processed as if the default value for the AUID (i= 
value) were present or processed as if the AUID (i= value) wasn't even part of 
the specification?

I'm asking the question because of this section related to restricting key 
applicability across the namespace using t=s in the key record has a dependency 
on the AUID in the signature:

Corrected Text:

      ...for example, a key record for the domain example.com can be
      used to verify messages where the AUID ("i=" tag of the signature)
      is sub.example.com, or even sub1.sub2.example.com.  In order to
      limit the capability of such keys when this is not intended, the
      "s" flag MAY be set in the "t=" tag of the key record, to
      constrain the validity of the domain of the AUID.  If the
      referenced key record contains the "s" flag as part of the "t="
      tag, the domain of the AUID ("i=" flag) MUST be the same as that
      of the SDID (d=) domain.  If this flag is absent, the domain of
      the AUID MUST be the same as, or a subdomain of, the SDID.



Thanks!

-- Brett
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops