On Mar 30, 2009, at 2:31 PM, John Levine wrote:
Informative Note: ADSP is incompatible with DKIM signing by parent
domains described in section 3.8 of [RFC4871] in which a signer
uses "i=" to assert that a parent domain is signing for a subdomain.
That's not fine, since we've just gone around and agreed that the
signing identity is d=. leave this paragraph out.
John is correct. ADSP is not about receivers limiting what part of a
domain's namespace can be signed. ADSP should be about whether a
signature is at or above the email-address domain.
When the i= value offers intra-domain tokens, rather than real email-
addresses matching within a signed header fields, avoiding accidental
namespace collisions would be desired. Avoidance can be assured by
using non-existing sub-domain labels. The intent behind the ADSP
change is to eliminate any restriction imposed by receivers on what
part of a domain's namespace, (real or fictitious) provides a valid
signature.
Allow DKIM to determine what is a valid signature. The i= value does
not need to represent a valid email-address to be useful. By
requiring just the domain, domains retain control over all their
namespace at or below their domain. ADSP currently allows domains to
sign any sub-domain as long as it matches against the i= value. The
only i= value exposure is related to g= key restrictions where DKIM
still mandates the use of specific i= values.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html