ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] New Issue: Discussion of assessments in Selector Construct section

2008-03-25 10:57:36

On Mar 24, 2008, at 10:00 PM, Jim Fenton wrote:

Section 4.3, "The Selector Construct", talks quite a bit about  
identities for doing assessments.  Other than the point that it  
makes in the section beginning NOTE:, none of this has anything to  
do with selectors.  Furthermore, I consider it premature to define  
the identity(-ies) that might be used for assessments, not having  
operational experience with this (although I do agree that making  
assessments based on the selector is a Bad Idea).

The last paragraph also suggests the use of different sub-domains  
for d=, but does not point out that the author address must also  
follow suit, otherwise the message may not be seen to be in  
compliance with Signing Policy.

IMHO, signing policy should separate itself from constraints defined  
by RFC4871 regarding the scope of identities that can be associated  
with signatures.  Signing Policy should be limited to whether a  
particular domain signs all of their messages, where which identities  
are associated with the signature is a separate issue.  It is counter  
productive to have verifiers expend efforts policing the scope of  
identities included within a policy hierarchy extending to sub- 
domains.  Is this really a problem that needs to be solved via signing  
policy.  After all a parent domain is free to publish any records they  
wish, where DKIM unable to change that reality.

Specifically, I suggest the removal of all but the first sentence of  
paragraph 1, and all of the last paragraph of the section.

Disagree, this is perhaps one sentence that gets the link to a  
responsible entity right?

-Doug

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html