I'm not sure that we aren't in agreement here. But I'm also not sure
that we are.
The granularity of the identity is (potentially) per user. But the
granularity of the signer is per-selector. Thus, the identity in i=
is really a statement by the domain that "I have good reason to
believe that this is the responsible party" --- and "good reason to
believe" is left undefined, at least in the DKIM spec.
The point is really to be able to establish accountability. Viewed
externally, the domain is the responsible party for the message. But
internal to that domain, the local-part of the i= is useful. This is
almost a one-for-one analogy with email addresses, where the
local-part is opaque to all but the recipient domain.
eric
--On August 9, 2005 4:23:20 PM -0700 Michael Thomas <mike(_at_)mtcc(_dot_)com>
wrote:
Eric Allman wrote:
That is not correct. The local part of the i= is intended to
provide a binding to the local part of outside origination
headers, not just the domain part. Which is why it is,
in fact, a primary goal.
That doesn't change the fact that it is the /domain/ signing a
message, not a user. That domain may identify the individual
user in such a way that is within the comfort zone of the signing
domain administrator, but the keys are still owned and
administrated by the domain owner.
That's all true, but that's not what Dave asserted:
> This is precisely what DKIM does. It is the domain
administrator who
> defines
> the DNS records used by DKIM and DKIM's granularity of the
validated
^^^^^^^^^^^
> identity is a domain name.
^^^^^^^^^^^
There's finer granularity than the domain name. The i= defines
it, not to mention the g=. Which in terms of a problem statement,
etc, is misleading to say that it's a secondary goal; it's been
a primary goal all along for everybody that I can determine except
Dave.
Mike
_______________________________________________
ietf-dkim mailing list
ietf-dkim(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/ietf-dkim