Jim Fenton wrote:
Siegel, Ellen wrote:
Informative Note: DKIM signatures by parent domains as described
in section 3.8 of [RFC4871] (in which a signer uses "i=" to assert
that it is signing for a subdomain) do not satisfy the
requirements for an Author Domain Signature as defined above.
[ . . . ]
Works for me.
+1
(I'd use commas instead of parentheses, but that's minor.)
IMHO, this is still wrong. The i= value should be _ignored_ when
determining ADSP compliance. I'll try some examples.
Yes, the i= value _is_ ignored when determining ADSP compliance. The
text that refers to the i= value is in RFC 4871, not the ADSP spec, and
the point of the note is to point out that the comments about the use of
i= there don't apply to ADSP because ADSP doesn't use i=.
I don't think we should have a note in a protocol that suggest, imply
anything NEGATIVE about not being compliant with DKIM-BASE. It is
works, it is compliant or its not. If we keep that statement that
people will undoubtedly think the protocol is now worth its effort,
especially when they do want to use i=.
The technical problem as I see it is the tight requirement between d=
and i=.
If i= is suppose to be an "On Behalf of" idea, then it probably needs
to be open ended.
This will allow for ADSP to be protocol consistency for 1st party
signing domain considerations and still allow for a 3rd party signer
identity.
Isn't i= part of the DKIM hashing?
If so, I don't see why it was restricted to be equal or part of the d=
domain.
Probably too late or too big of a change to do in 4871, but it is
certainly something to keep in mind.
The final part of DKIM is to resolve the 3rd party authorization
issues and I don't think we should only rely on "reputation" to
resolve first level fraud.
--
Sincerely
Hector Santos
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html