ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Re: Responsibility vs. Validity

2007-11-28 13:11:40

On Nov 28, 2007, at 11:35 AM, Jim Fenton wrote:

Michael Thomas wrote:
Frank Ellermann wrote:

So the implication here is that that sort of domain could never run a mailing list that resigns messages? That doesn't seem right to me.

That's precisely one of the motivations for the local-part of the i= tag. If a message from this list, for example, were signed with i=ietf-dkim(_at_)mipassoc(_dot_)org , the signing address would not match jdoe(_at_)mipassoc(_dot_)org, so there's no confusion about whether it's an originator signature or a mailing list signature.


1) The i= parameter must include the localpart to help ensure on who's behalf the message was signed.

(This might be helpful when the the identity is found within a Sender header instead of the From header.)

2) The localpart must be included within the i= parameter to ensure on who's behalf the message was signed, but _only_ when the localpart has been authenticated.

3) The localpart must be included within the i= parameter whenever a restricted key is used, but where the localpart may not have been fully authenticated when wildcards are employed.

It is not clear whether the localpart included within the i= parameter actually implies authentication. I'll even bet that it doesn't in many cases.

-Doug
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html