On Apr 7, 2009, at 17:28, "Jim Fenton" <fenton(_at_)cisco(_dot_)com> wrote:
Siegel, Ellen wrote
[> ]
I think it may be the "incompatible" that's causing the
disagreement. ADSP is not incompatible with that signing
configuration, it would just require that a second signature be
added.
Maybe something more like the following?
"ADSP should not be used for domains that use "i=" values to enable
a parent domain to sign for a subdomain (as described in section
3.8 of [RFC4871]) unless an additional signature where the "d="
domain matches the "i=" domain is added."
Good thought, but since parent domain signing is largely to simplify
key
management (so that the public keys don't need to be published in each
subdomain), it's not necessary to apply a parent domain signature if a
signature where the d= value matches the actual From domain is also
applied.
But you're right, "incompatible" may be a little harsh; I just
followed
John Levine's wording in -09. How about:
Informative Note: DKIM signatures by parent domains as described in
section 3.8 of [RFC4871] (in which a signer uses "i=" to assert that
it is signing for a subdomain) do not satisfy the requirements for
an Author Domain Signature as defined above.
-Jim
Works for me.
Ellen
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html