On Apr 13, 2009, at 6:04 AM, Jim Fenton wrote:
Consider a domain that uses sub-domains for their mailing-lists
that are signed using Parent Domain Signing. Even when a parent
domain has ADSP assertions of either an "all" or "discardable",
users can still participate in these mailing-lists using Parent
Domain Signing and be compliant with ADSP. Compliance can not be
defined in terms of Parent Domain Signing, since the i= value can
contain sub-domains.
I don't understand what "users can participate in these mailing-
lists using Parent Domain Signing" means. A signature applied by a
mailing list would be an Author Domain Signature, except in the
special case where the domain of the mailing list signature happens
to be the same as that of the author. It's possible to avoid this
special case by having the mailing list domain be different from
that of any author, and one way to do that is to give the mailing
list(s) a separate subdomain. But that doesn't have anything to do
with the caution about Parent Domain Signing.
A parent domain signature applied by the mailing-list might look as
follows:
_adsp._domainkey.example.com TXT "dkim=discardable"
From: jon(_dot_)doe(_at_)example(_dot_)com
DKIM-Signature: i=list-subject(_at_)mail-list-ns(_dot_)example(_dot_)com;
d=example.com; ...
When evaluating ADSP, this type of "Parent Domain Signature" is still
compliant. Users of "example.com" can participate in
"list-subject(_at_)mail-list-ns(_dot_)example(_dot_)com
" without special signatures being needed.
The domain might also use sub-domains as their means to tokenize on-
behalf-of entities.
A parent domain signature applied for tokenized entities might look as
follows:
From: jon(_dot_)doe(_at_)example(_dot_)com
DKIM-Signature: i=radius-value(_at_)radius-ns(_dot_)example(_dot_)com;
d=example.com; ...
When evaluating ADSP, this type of "Parent Domain Signature" is also
still compliant. A caution must not refer to i= values or parent
domain signing. The caution should be limited to ensuring the signing
domain and the email-address domain be the same. "Parent Domain
Signing" is ONLY about the i= value, where the i= value is ignored for
ADSP compliance.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html