-----Original Message-----
From: Michael Thomas [mailto:mike(_at_)mtcc(_dot_)com]
Sent: Thursday, May 05, 2011 1:35 PM
To: Murray S. Kucherawy
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Output summary - Keep your Eye on the Prize!
On 05/04/2011 08:34 PM, Murray S. Kucherawy wrote:
Technical: The AUID is an unvetted value. The local-part and the
subdomain could be garbage. It's inappropriate for a security protocol
to return a possibly false value in the context of saying something was
cryptographically validated.
I don't think this is correct. The signer creates and signs the i= value,
so it's not "garbage", and it can't be "false" either. I don't even know
what false means in this context. It's just a value which is guaranteed
to be within the to the d= domain's bailiwick.
By "garbage", I mean "not guaranteed to have any useful meaning".
Think of how it might be used by someone seeking to avoid accumulating negative
reputation. The subdomain might not exist; it could be a string of random
(though syntactically legal) characters. The local part might not have
anything at all to do with an email address or other login ID that's valid on
the signer or author systems, and may be unique per-message meaning it can't be
used as input to an assessor in a useful way.
So, I believe, it's essentially meaningless as far as the protocol can
stipulate. Assertions of its semantics thus fall outside of the base DKIM spec.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html