On Apr 9, 2009, at 10:11 AM, J.D. Falk wrote:
Siegel, Ellen wrote:
Informative Note: DKIM signatures by parent domains as described
in section 3.8 of [RFC4871] (in which a signer uses "i=" to assert
that it is signing for a subdomain) do not satisfy the
requirements for an Author Domain Signature as defined above.
[ . . . ]
Works for me.
+1
(I'd use commas instead of parentheses, but that's minor.)
IMHO, this is still wrong. The i= value should be _ignored_ when
determining ADSP compliance. I'll try some examples.
,----
DKIM-Signature: ... d=foo.example.com;
From: jon(_dot_)doe(_at_)foo(_dot_)example(_dot_)com
'----
#### This would be a first-party or Author Domain Signature. Note the
lack of the i= value.
,----
DKIM-Signature: ... d=example.com;
From: jon(_dot_)doe(_at_)foo(_dot_)example(_dot_)com
'----
#### This would not be a first-part or Author Domain Signature. Again
note the lack of an i= value.
,----
DKIM-Signature: ... d=example.com; i=(_at_)foo(_dot_)example(_dot_)com
From: jon(_dot_)doe(_at_)example(_dot_)com
'----
#### This would be a first-part or Author Domain Signature. Although
in conflict with the prior definition, use of a sub-domain in the i=
value helps ensure against accidental collisions with a real email-
addresses, when the i= value represents a token for the on-behalf-of
identity.
There is no reason for ADSP to facilitate parent domain signing.
Parent domain ADSP assertions are impossible after all.
Since each ADSP assertion MUST be made at the "_adsp._domainkey.email-
address-domain TXT", creating a DNS entry at
"<s=value>._domainkey.email-address-domain TXT" (which could point to
a parent domain key using CNAME) represents only a minor effort.
When it is too difficult to reference a key from the email-address
domain, then don't make ADSP assertions at sub-domains intended to
send and receive email.
Here is one more attempt at redefining section 2.7.
,----
A valid first party signature or "Author Domain Signature" is a Valid
Signature where the domain name in the DKIM signing domain (SDID) is
the same as the Author Domain.
Any sub-domain included within the i= value (AUID) will not affect
ADSP compliance. Only email-address domains that reference the DKIM
key can comply with ADSP assertions.
'----
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html