Jim Fenton wrote:
Section 4.3, "The Selector Construct", talks quite a bit about
identities for doing assessments.
Let's take care of the "quite a bit", just to make sure we are in sync about
the
relevant text.
The first paragraph merely says that d=/i= are used for making assessments.
The
last paragraph does go into some detail about providing differential
identities, in order to support differential assessment. I can see how that
discussion might seem odd in this section.
On reflection, I'm suspecting there needs to be a separate sub-section, along
the lines of "Choosing names to be used for assessment."
The current text was motivated by the considerable community confusion
surrounding use of i=/d=/s= (as well as their complete independence from From:,
Sender: and the rest). Folks out there who are trying to figure out how to
make
DKIM work are typically either very confused about the issue or at just plain
getting it wrong. The current text was intended to try to clarify at least
some
of this.
Not adequately, it would seem.
Other than the point that it makes in
the section beginning NOTE:, none of this has anything to do with
selectors. Furthermore, I consider it premature to define the
identity(-ies) that might be used for assessments, not having
operational experience with this (although I do agree that making
assessments based on the selector is a Bad Idea).
This re-introduces the basic question of what DKIM's output is. Protocols have
explicit input and output. Either DKIM is a complete and precise protocol or
it
is some sort of fuzzy mechanism creating a guessing game between signers and
verifiers. This confuses the higher-level task of assessing -- which will
always be a bit fuzzy, at best -- and the underlying act of asserting a
responsible domain name.
Since the DKIM specification says that its task is "permitting a signing domain
to claim responsibility" there had better be a very precise way of determing
what domain is doing the claiming. As soon as there is more than one
possibility, then it is no longer a serious protocol.
The last paragraph also suggests the use of different sub-domains for
d=, but does not point out that the author address must also follow
suit, otherwise the message may not be seen to be in compliance with
Signing Policy.
I don't understand. What is there in the DKIM signing protocol that requires
the author adress to "follow suit"?
Specifically, I suggest the removal of all but the first sentence of
paragraph 1, and all of the last paragraph of the section.
Since I believe that clarification of the role of the selector -- and in
particular making sure the reader knows that it is NOT part of the assessment
process -- your suggestion is problematic.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html