On Mar 24, 2008, at 10:00 PM, Jim Fenton wrote:
Section 4.3, "The Selector Construct", talks quite a bit about
identities for doing assessments. Other than the point that it
makes in the section beginning NOTE:, none of this has anything to
do with selectors. Furthermore, I consider it premature to define
the identity(-ies) that might be used for assessments, not having
operational experience with this (although I do agree that making
assessments based on the selector is a Bad Idea).
The last paragraph also suggests the use of different sub-domains
for d=, but does not point out that the author address must also
follow suit, otherwise the message may not be seen to be in
compliance with Signing Policy.
IMHO, signing policy should separate itself from constraints defined
by RFC4871 regarding the scope of identities that can be associated
with signatures. Signing Policy should be limited to whether a
particular domain signs all of their messages, where which identities
are associated with the signature is a separate issue. It is counter
productive to have verifiers expend efforts policing the scope of
identities included within a policy hierarchy extending to sub-
domains. Is this really a problem that needs to be solved via signing
policy. After all a parent domain is free to publish any records they
wish, where DKIM unable to change that reality.
Specifically, I suggest the removal of all but the first sentence of
paragraph 1, and all of the last paragraph of the section.
Disagree, this is perhaps one sentence that gets the link to a
responsible entity right?
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html