On Jul 4, 2008, at 3:56 AM, Stephen Farrell wrote:
Full disclosure: I raised this one.
Issue description: https://rt.psg.com/Ticket/Display.html?id=1567
Thread: http://mipassoc.org/pipermail/ietf-dkim/2008q1/009843.html
Dave proposed a paragraph that might be worth adding, but that also
attracted a couple of +/- comments.
(As chair) I think the editors should handle this as they see fit.
Barring objection, to be closed one week after overview-10 issues.
(As participant) During the thread I volunteered to do some work [1]
that I vaguely recollect actually doing, but can't find any mail for
(hate when that happens;-). If I didn't do it and its still useful,
can the editors let me know and I'll take a whack at it, now or on
overview-10, whichever they prefer. Saying nothing means I either
did it already or won't be doing it:-)
Not that I have had much time to review the overview...
There are two separately distinct concepts of identity within DKIM and
ADSP. Per the DKIM signature, the identity noted within the signature
may not be found elsewhere within the message, but is defined as
representing the signature's "on-behalf-half" identity. The overview
mixes different concepts of identity to be that of the signing domain
together with that of the "on-behalf-of" identity. Since DKIM is
unable to make strong assertions about the "identity" parameter within
the signature, it is unlikely conflation with an "on-behalf-of"
identity will be of any benefit. Rather than using the conflated term
identity, perhaps specifically calling this the signing domain would
help prevent confusion. The "entity" confirmed by DKIM signature
validation is that of the entity controlling the domain publishing the
public key. Perhaps replacing the term identity with "signing
domain" or "key domain" would make this term more succinct and less
misleading.
In addition, section 4.1 appears to confuse what an identity might
be. Suggesting that key selectors are to be considered part of the
identity is wrong. Neither the key selectors nor the signature's on-
behalf-of identity are confirmed as a result of DKIM signature
validation. ONLY the domain publishing the public key being used is
confirmed. Only the domain publishing the public key can be
considered to represent an entity accountable for the the message
itself. It does not matter for whom this domain suggests their
signature was added on behalf of. The "on-behalf-of" identity is not
confirmed by way of DKIM validation, where many signing domains even
allow this identity to "default" and remain ambiguous.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html