On Jul 19, 2006, at 1:40 PM, Michael Thomas wrote:
-1
First of all this would break backward compatibility with the
existing DK records. Second, I don't see what the problem is with
the current sense: if you don't like subdomains, by all means set
t=s. And I can tell you from first hand experience as somebody who
has deployed this: the subdomain signing feature is definitely
being used, so the comment on draft standard does not apply.
Inverting the meaning of the "s" flag is compatible with a DomainKeys
record, as the DomainKeys signature does not include a separate
signing identity nor an "s" flag. The DKIM signature version can also
differentiate between pre-draft versions that lack provisions for
constraining valid signatures for subdomains identities. This issue
matters during verification where an older DKIM verifier will not
correctly interpret the "s" flag regardless. For those currently
signing subdomain identities to this draft, the "s" flag should be
added. Not having the "s" flag should default to a safer and
constrained mode of operation. Removing the subdomain identity
constraint in exceptional cases should involve the minor effort of
adding the optional (not recommended) "s" flag. Hopefully, in the
majority of cases, the "s" flag is not included and perhaps not
acceptable. Just as with the l= tag, ignoring it does the right
thing. The same should be true with the "s" flag.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html