Murray S. Kucherawy wrote:
-----Original Message-----
#1: Suggestion to change text in section 2.3
[...]
Consensus so far (pulling in pre-WGLC comments on the same topic) is to keep
the text as-is, and so far I concur with that position. I don't believe any
of
the proposed changes so far do anything to clarify or correct anything
in here.
There's been concern expressed that the list of examples in 2.3
specifically exclude some possible models of DKIM use, but I disagree.
A "person, role or organization" certainly can include an author or author's
domain, a third-party signer, an MLM, a certifying service, a policy
evaluator,
an arbitrary intermediary, or any entity at all. I haven't seen or invented
an
example yet that this doesn't cover, so I disagree that it's exclusive
in some way.
Overall I don't disagree and I follow your reasoning, 2.3 is
highlighting that among all the identities possible, only one can be
trusted by an independent 3rd party we all have a practical reason to
reason to trust. All the other identity can't be trusted, regardless
if they authorized.
If that understanding is correct, then isn't the 2.3 going into
implementation details and risk eliminating the other implementation
methods that uses policies to authenticate identities?
Another way to view this is the realistic (configuration & setup,
locally or remote) question all domains will face when deploying DKIM:
What domain is used for signing my mail?
I think it is appropriate for the Deployment Guidelines to help with
that question, but ultimately, it comes down to selecting a domain
that is authorized to signed and hopefully one that is remotely viewed
as a trusted signer.
I believe section 2.3 attempts to summarized the possible signing
identities or entities.
So in that vain, one may view all the identities are implicitly
authorized and trusted. (Note, this is how our F1 online help
describes the selection of the signer.)
But since 2.3 attempts to convey there is only trusted identity - the
independent signer, I think it should made clearer one way or another
what it says about trust for the other identities and/or add the
semantics that they are naturally authorized with the exception that
independent signers do not need to be authorized.
If your goal is to mature a mindset that only 1 identity can be
trusted, then the text is good for that.
If your goal is to mature a mindset the identities are naturally
presumed to be authorized and trusted, then the text is ambiguous in
that regard.
My proposed text attempts to inject the idea that at least one
identity is an author authorized signer distinct from what is already
stated as an independent trusted identity.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html