[ietf-dkim] New Issue: Discussion of assessments in Selector Construct section
dotis at mail-abuse.org
Tue Mar 25 10:53:22 PDT 2008
On Mar 24, 2008, at 10:00 PM, Jim Fenton wrote:
> Section 4.3, "The Selector Construct", talks quite a bit about
> identities for doing assessments. Other than the point that it
> makes in the section beginning NOTE:, none of this has anything to
> do with selectors. Furthermore, I consider it premature to define
> the identity(-ies) that might be used for assessments, not having
> operational experience with this (although I do agree that making
> assessments based on the selector is a Bad Idea).
> The last paragraph also suggests the use of different sub-domains
> for d=, but does not point out that the author address must also
> follow suit, otherwise the message may not be seen to be in
> compliance with Signing Policy.
IMHO, signing policy should separate itself from constraints defined
by RFC4871 regarding the scope of identities that can be associated
with signatures. Signing Policy should be limited to whether a
particular domain signs all of their messages, where which identities
are associated with the signature is a separate issue. It is counter
productive to have verifiers expend efforts policing the scope of
identities included within a policy hierarchy extending to sub-
domains. Is this really a problem that needs to be solved via signing
policy. After all a parent domain is free to publish any records they
wish, where DKIM unable to change that reality.
> Specifically, I suggest the removal of all but the first sentence of
> paragraph 1, and all of the last paragraph of the section.
Disagree, this is perhaps one sentence that gets the link to a
responsible entity right?
More information about the ietf-dkim