ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Last call comment: Changing the g= definition

2010-10-13 16:46:15
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org 
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Jim Fenton
Sent: Wednesday, October 13, 2010 2:34 PM
To: Barry Leiba
Cc: IETF DKIM WG
Subject: Re: [ietf-dkim] Last call comment: Changing the g= definition

    3.6.1.1. Compatibility Note for DomainKeys

       Key records for DKIM are backward-compatible with key records
       for the now-obsolete DomainKeys [RFC4870], except in one
       circumstance: DomainKeys interpreted an empty "g=" value to
       match any signing address ("i=" in the signature).  In DKIM, that
       matching is done by "g=*", or by omitting "g=" and taking the
       default behaviour.  An empty "g=" value in DKIM will match only
       empty "i=" values.

       If a key record uses an empty "g=" value and also uses "v=",
       the key record can be identified as belonging to DKIM, and the
       DKIM interpretation will be used.  Absent a "v=" tag, though,
       the verifier cannot tell whether the signer intended the
       DomainKeys interpretation or the DKIM one.

       To avoid second-guessing in a security context, and because
       DomainKeys is an obsolete protocol, DKIM verifiers MUST
       interpret this situation in DKIM terms, matching only
       empty "i=" values.

A quick point of order here: This is based on errata #1532 which is "Held for 
Document Update".  Are we free to change the proposed semantics that are 
described there, which do allow for a back-compatibility interpretation?

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html