At 11:02 30-03-2009, DKIM Chair wrote:
What we need to do by the end of the week is this:
1. Decide whether the gist of Jim's proposal is something we can
accept, whether
or not it would be our first preference? John, for example, has
said that it's
not his preference, but he considers it "harmless", and, therefore,
acceptable.
1.5. For those who think we really need ADSP to use i= or something
like it, can
you *accept* taking i= out for now, in the interest of moving ahead with the
spec, possibly to add i= or something like it back in through an
extension later
if experience shows us that you're right?
This issue was discussed within this WG in 2007. There was also a
discussion about whether "SSP" is appropriate. ADSP was chosen as it
is a signing practice advertised by the Author Domain. The Author is
what is in the From: header field.
Granularity is one of the features offered by DKIM to restrict what
signing address can be used. What constitutes a signing address is
left to local policy. If we are using ADSP, we can, for example,
match against the From: header field.
People can put anything in the i= tag. We have seen that being done
in practice. The effect is that it may not match the email address
in the From: header field. One of the interesting features of the i=
tag is that it can be used for subdomains. This means that I can
have one public key under example.com and reuse it for my
subdomains. Some people may argue that I could use a CNAME RR to
point the subdomains to the public key. That requires changes to
DNS. Most of us may find that trivial but it is complicated for DKIM
users as DNS may be handled by a different entity.
My preference is not to take out the i= tag. I think that the i= tag
value should be used for the ADSP match. If two parties want to use
the i= tag for their local purposes, they can use an extension
tag. I only have to know what the value represents if there is a
specification for it.
I prefer to see the note at the end of Section 2 of
draft-ietf-dkim-ssp-09 removed. Most users will not do multiple
signatures because they see it as complex and because of the
overhead. If people want to use ADSP, keep it simple by telling them
what signature constitutes a valid Author Signature. When you say
that "ADSP incompatible with valid DKIM usage ...", people will
register the word "incompatibility" and view valid DKIM usage as
mostly about third party signatures.
I find it difficult to comment on this point alone as the issues are
intertwined. The arguments by both sides open up questions about the concepts.
Regards,
-sm
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html