On May 29, 2006, at 8:53 PM, Steve Atkins wrote:
The only valid reason to require it, I think, is for the benefit of
users who use wildcard MXes, to enable them to make up subdomains
on-the-fly, and who send mail using from addresses in those
subdomains.
The parent domain can still sign messages. The question is whether a
signing-domain should be precluded from linking with an email-address
of a sub-domain. This mechanism is intended to establish trust for
an email-address via the signing-domain. A verifier could create
special policies for when an email-address is a sub-domain of the
signing-domain, which may result in the same practical limitations as
would excluding the use of this linking mechanism. In general,
reducing a profusion of right-hand-side names better establishes
trust. Precluding the use of wildcard MX records also reduces some
concerns related to various attack scenarios.
If this i= provision is included, the informational RFC1591 should be
updated. By allowing a link to an email-address be fully independent
of any domain delegation, TLD managers will be able to offer DKIM
related services where keys for domains can be stored in a sub-domain
directly below the TLD. When one assumes the signing-domain
establishes trust, keys at these locations might be considered elite
property generating substantial revenue. If it become a common
practice for TLD managers to offer DKIM key services, security
becomes far more critical due to a catastrophic failure mode.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html