On Apr 2, 2009, at 8:15 AM, Dave CROCKER wrote:
I think there are two sources of confusion for this round of ADSP
discussion.
The first is that the term "Author Signature" encourages one to
think that DKIM is used to sign with the full author email address,
rather than with the /domain/ of the author's address. We fixed
that error in the name of the document, but forgot to carry it
through to the details of the spec.
Agreed. :^)
DKIM is about domains, not email addresses. And that's all ADSP
should be. Using i= encourages this cofusion. Using "Author
Signature" rather than "Author Domain Signature" also encourages it.
Agreed.
----
Change:
1. Introduction:
This inquiry is called an Author Signing Practices check.
To:
This inquiry is called an Author Domain Signing Practices check.
----
Change:
Section 2.7 Author Signature.
To:
Section 2.7 Author Domain Signature.
----
Change:
An "author signature"
To:
An "Author Domain Signature"
Then:
s/author signature/Author Domain Signature/
The specification and semantics of ADSP get simpler, cleaner and
properly scoped, when d= is used. Using i= really does invite a
complex of issues that should be outside the scope of DKIM and ADSP.
Within the Security Consideration section, mention use of the i= could
be required to differentiate intra-domain sources that might otherwise
confuse From header fields as the message source, such as a mailing-
list sharing the same domain.
Append to the initial paragraph within the Security Considerations
section:
Use of the i= value (AUID) may be necessary to disambiguate message
sources, such as those messages handled by a mailing list sharing the
same domain.
Use d=.
To determine ADSP compliance. Agreed.
d/
ps. That includes dropping the "ADSP is incompatible" note.
----
Strike the following in Section 2.7:
If the DKIM signing identity has a Local-part, it is be identical to
the Local-part in the Author Address. Following [RFC5321], Local-part
comparisons are case sensitive, but domain comparisons are case
insensitive.
For example, if a message has a Valid Signature, with the DKIM-
Signature field containing "i=a(_at_)domain(_dot_)example", then domain.example
is asserting that it takes responsibility for the message. If the
message's From: field contains the address "b(_at_)domain(_dot_)example", that
would mean that the message does not have a valid Author Signature.
Even though the message is signed by the same domain, it will not
satisfy ADSP that specifies "dkim=all" or "dkim=discardable".
Note: ADSP is incompatible with valid DKIM usage in which a signer
uses "i=" with values that are not the same as addresses in mail
headers. In that case, a possible workaround could be to add a
second DKIM signature a "d=" value that matches the Author Address,
but no "i=".
----
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html