Earl Hood wrote:
On August 9, 2005 at 15:42, Michael Thomas wrote:
This is precisely what DKIM does. It is the domain administrator who defin
es
the DNS records used by DKIM and DKIM's granularity of the validated identi
ty is
a domain name.
That is not correct. The local part of the i= is intended to
provide a binding to the local part of outside origination
headers, not just the domain part. Which is why it is,
in fact, a primary goal.
The setting of i= is under the control of the signing agent, which
does not have to be the author/sender. If I understand Dave's (and
some others) view of DKIM, it is the domain owner who has the control
of setting i= (via the domain owner's signing process).
Yes.
The granularity of the value of i= is solely up to the domain owner
and the internal (security) policies it defines when signing messages
submitted by the domain owner's users.
Yes. I'm only objecting to the characterization that the
granularity is only at the domain level. The domain can
make assertions about the local part and still be completely
up to the internal policies of the domain holder. This is
one reason that the assertion that DKIM makes and PGP/SMIME
are very different assertions.
The strength of the identity specified in i= is completely up to the
domain owner, and only has meaning to the domain owner. As noted in
the DKIM draft, the value of i= may not represent any address value
in a message header (e.g. rfc2822.from/sender).
Yes, but when it does, it has significance in what the
signature is asserting.
Mike
_______________________________________________
ietf-dkim mailing list
ietf-dkim(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/ietf-dkim