-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Jim Fenton
Sent: Wednesday, October 13, 2010 2:34 PM
To: Barry Leiba
Cc: IETF DKIM WG
Subject: Re: [ietf-dkim] Last call comment: Changing the g= definition
3.6.1.1. Compatibility Note for DomainKeys
Key records for DKIM are backward-compatible with key records
for the now-obsolete DomainKeys [RFC4870], except in one
circumstance: DomainKeys interpreted an empty "g=" value to
match any signing address ("i=" in the signature). In DKIM, that
matching is done by "g=*", or by omitting "g=" and taking the
default behaviour. An empty "g=" value in DKIM will match only
empty "i=" values.
If a key record uses an empty "g=" value and also uses "v=",
the key record can be identified as belonging to DKIM, and the
DKIM interpretation will be used. Absent a "v=" tag, though,
the verifier cannot tell whether the signer intended the
DomainKeys interpretation or the DKIM one.
To avoid second-guessing in a security context, and because
DomainKeys is an obsolete protocol, DKIM verifiers MUST
interpret this situation in DKIM terms, matching only
empty "i=" values.
A quick point of order here: This is based on errata #1532 which is "Held for
Document Update". Are we free to change the proposed semantics that are
described there, which do allow for a back-compatibility interpretation?
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html