Hector,
Hector Santos wrote:
Jim,
I appreciated your clarification of the Exclusive (o=!) policy.
First, I must say I had to get over the shock value of this revelation
and fundamental miscalculation. This changes everything. I am vexed as
to how this fell thru the cracks. Rest assured if I had realized this
last year, it would of been topic of debate to atleast get it very clear
what this policy meant as it initially drafted.
Please don't overreact. I would have spoken up sooner if I had
understood the disconnect and if I thought that your interpretation was
as broken as you seem to think it is. I think only minor adjustments
are necessary.
A lot of time wasted and what I really don't appreciate is the lack of
professional courtesy from the key cogs and authors for not clearing
this up very early on for one simple reason:
The term EXCLUSIVE introduced to label the symbolic O=! policy,
was semantically, literally and technically incorrect to be used
for this specific SSP.
I mostly disagree; see definitions below.
From Dictionary.dom:
1. Excluding or tending to exclude: exclusive barriers.
2. Not allowing something else; incompatible:
mutually exclusive conditions.
3. Not divided or shared with others: exclusive
publishing rights.
This is the definition that I think fits. The originating domain does
not want to share the right to apply a valid signature to its messages
with re-signers.
There is one sense where the term "exclusive" may be inappropriate. I
understand that there may be legal reasons, in Europe in particular,
that a domain not try to dictate the handling of messages by others. In
that sense the o=! policy (practice) would mean "I sign all messages,
and do not send through lists and others that would necessitate
re-signing". A verifier could then interpret that policy/practice in
much the same way, but the statement is now declarative, not
imperative. I don't really know what the laws say and whether this
would help, but I suspect it might.
In all fairness, it all make sense now. I can see now why you
commented, there might not be a difference between STRONG and EXCLUSIVE
and that they could be folded. In this case, I think you are correct.
There is no difference now. But then again, you probably meant
something else. :-)
Did I say that? I think there's an important difference between STRONG
and EXCLUSIVE. Not many domains will be able to publish EXCLUSIVE
because only a minority actually adhere to those practices, but it's a
very useful statement for those that do to be able to make.
This changes months of proposed protocol technical analysis and software
modeling 100% based on having a fundamental engineering concept of
always having ideal baseline conditions or two absolute guarantee
extreme end points in the spectrum of possible results. In this case,
EXCLUSIVE (O=!) and NEVER (O=.)
This changes everything:
- Foremost, the security of the protocol. There is no longer an
absolute ideal end point of exclusive protection. The protocol
is now entirely made up using 100% relaxed provisions, which
- Creates new potential entry points to analyze, and which
- Creats a new series of assertions that need to be proved
I will go ahead and provide input with "NEW ISSUES" in the TA. I do
hope this is reconsidered and changed because if DKIM is made of 100% of
relaxed conditions with no absolutes (and the only one now is NEVER), it
will be very difficult me to have any incentive to continue supporting
this protocol purely based on its technical merits.
I'll be interested in your new issues. I don't think that much has
really changed; just that the validity of individual signatures, and not
entire messages, is affected by SSP.
-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org