1) What constitutes compliance with an "all" assertion
a) Author Domain matching
- global caveat for restricted keys whose identity is not within
From header to ensure security with or without policy assertions.
- compatible with RFC 4871 (valid == compliant).
- valid signatures of non-restricted keys always assert compliance.
- any identity can be associated with signature.
- defensive strategies possible to better cope with compromised
systems.
- privacy can be retained.
- ambiguous signatures are never required.
b) Author Identity matching
- Some valid signatures not compliant with "all" assertion.
- Ambiguous signature required to remain compliant with "all"
assertion.
- Guessing on-behalf-of identity by examining the header stack
may be required
with single ambiguous signatures.
- prevents reliance upon single signatures when identity clarity
is desired.
- may introduce identity exploits when signatures pairs are not
properly
overlapped.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html