[ietf-dkim] DKIM does domain signing, not mailbox signing

[John L]

> The issue here isn't reputation (although this may come up in that 
> context, too); the issue is whether a given signature is interpreted as 
> an Originator Signature or not by SSP.

Seems to me that any algorithm more complex than comparing the From: 
domain to the signing domain will die in the Swamp of Unforseen and 
Unmanageable Complexity.  If you mean something different when you sign 
list mail than when you sign individual mail, use a different signing 
domain.  As Jon reminded us, the semantic granularity of DKIM is domains, 
not mailboxes.

>>    i=  Identity of the user or agent (e.g., a mailing list manager)

> Although 4871 doesn't specify any semantics associated with the
> local-part of i=, if it had been intended to be an opaque token, it
> would have been worded differently.

Now wait a minute.  I don't see the word "mailbox" or "address" there, I 
see the carefully neutral term "identity".  The following text says that 
it has the syntax of a mailbox, not the semantics of a mailbox.

It's a cookie, just like the cookie that the late lamented RFC 1413 IDENT 
returns.  In many cases those cookies may happen to match mailbox names, 
but in just as many cases they don't, and it's poor design to assume that 
they do.  See the informative discussion two paragraphs later.

Regards,
John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.