ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ietf-dkim] draft-ietf-dkim-base-02 //g= template

2006-05-31 16:34:55
from [Douglas Otis] [Permanent Link] 
,---
| g= granularity of the key (plain-text; OPTIONAL, default is "*").
|    This value MUST match the local part of the signing address, with
|    a "*" character acting as a wildcard.  The intent of this tag is
|    to constrain which signing address can legitimately use this
|    selector.  An email with a signing address that does not match
|    the value of this tag constitutes a failed verification.
|    Wildcarding allows matching for addresses such as "user+*".  An
|    empty "g=" value never matches any addresses.
'___
Allowing the key to be used by identities within sub-domains of the key reference, security is improved by also constraining which sub- domains are allowed to use the key. This requires both a right and left hand wildcard be accommodated. In addition, a symbol is needed to represent the domain containing the "_domainkey" sub-domain such as '_'. 

change to:

: g= granularity of the key (plain-text; OPTIONAL, default is "*").
:    This value MUST match the localpart and possible sub-domains of
:    the identity specified by the i= parameter, with a "*" character
:    acting as a wildcard, and the '_' character representing the
:    domain containing the "_domainkey" label.  The intent of this
:    tag is to constrain which identity can legitimately use this key.
:    When the g= template of this tag can not be expanded to match the
:    identity, this constitutes a failed verification.  Wildcarding
:    allows matching the identity using a template expansion such as
:    "user*", "user(_at_)*", "*(_at_)_", or "*(_at_)sub-domain_", or 
*(_at_)*sub-domain_".
:    Multiple labels contained within the sub-domain template are
:    separated by the "." character.  An empty "g=" value never matches
:    any identity.  The value "g=*(_at_)*" or "g=*(_at_)*_" should always be
:    expressed as the simpler form "g=*".

,---
| 6.2  Get the Public Key
| ...
|  6. If the "g=" tag in the public key does not match the local part
|     of the "i=" tag on the message signature, the verifier MUST
|     ignore the key record and return with DKIM_STAT_INAPPLICABLE.
'___

Change to:

:  6.  If the "g=" tag in the public key does not match the identity
:      of the "i=" tag on the message signature, the verifier MUST
:      ignore the key record and return with DKIM_STAT_INAPPLICABLE.

-Doug



_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [ietf-dkim] draft-ietf-dkim-base-02 //g= template, Douglas Otis <=
Previous by Date:  [ietf-dkim] base-03: Key lookup parameters, Jim Fenton
Next by Date:  [ietf-dkim] draft-ietf-dkim-base-02 // unverifiable signature removal, Douglas Otis
Previous by Thread:  [ietf-dkim] base-03: Key lookup parameters, Jim Fenton
Next by Thread:  [ietf-dkim] draft-ietf-dkim-base-02 // unverifiable signature removal, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]