Jim Fenton asked me to write a blurb on this after discussing it with
him at the DKIM conference in Santa Clara.
My understanding of the rules around the domain and the identity of a
message is that the identity (i=) must always be the same as the domain
(d=), OR a subdomain of it. Then, the public key published at
<selector>._domainkey.<domain> will be looked up.
I am not, however, aware of any mechanism for preventing a malicious TLD
operator from publishing a key at _domainkey.<tld>. This suggests to me
that it's quite possible for the operators of the TLD, whether that's
Verisign or some government-controlled agency, can then send mail with
d=tld and i=user(_at_)example(_dot_)tld, and that such a message's signature
would
validate. To hit closer to home, for me, a sufficiently ill-conceived
SiteMinder-like scheme by Verisign could permit them to send signed mail
with the identity mike(_dot_)markley(_at_)bankofamerica(_dot_)com by signing as
d=com.
Obviously the TLD operators in most countries probably would not risk
the legal challenges to doing something like this, but it opens up
avenues of abuse where the TLD is operated by the government or,
potentially, even by a disgruntled key employee or agent of an
independent TLD operator.
This may simply be "as designed", but it is, IMO, worth documenting.
-- Mike
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html