On 4/2/2015 11:42 AM, Murray S. Kucherawy wrote:
> On Thu, Apr 2, 2015 at 9:18 AM, Dave Crocker <d...@dcrocker.net
> <mailto:d...@dcrocker.net>> wrote:
> If the input is "the message" and the output is "a set of zero or more
> SDIDs representing domains whose signatures validated", then I don't
Except that that does not describe the DKIM protocol.
A protocol is not (necessarily) and input/output engine. It is an
interaction engine that delivers things.
DKIM delivers a single validated identifier.
With respect to the specific DKIM function, the message is overhead, not
payload. It is part of what service to enable the payload, not be part
of it.
> However, and perhaps unfortunately, RFC5672 changed it so that the
> output of DKIM is a single SDID.
Sorry, no. It wasn't changed, although the precise spec language did
change.
RFC 478:
"permitting a signing domain
to claim responsibility for the introduction of a message into the
mail stream. "
RFC 6376:
"DomainKeys Identified Mail (DKIM) permits a person, role, or
organization to claim some responsibility for a message by
associating a domain name [RFC1034] with the message [RFC5322], which
they are authorized to use."
In both cases, it refers to a single domain name. Not multiple.
If you want to validate multiple domain names, you do multiple
(independent) signatures.
The substantive change was to clarify an ambiguity in the original spec,
about /which/ of the two possible domain names that are in the
DKIM-Signature field constitutes the promised one.
> That means either (a) RFC5672 got it
> wrong, because this doesn't allow for the whole message to be the input
huh?
> and multiple domain names (for passing signatures) to be the output, or
> (b) the above definition is wrong, because it means a single DKIM
> signature _plus_ the whole message is the input, and the algorithm picks
> apart the message as needed to complete the verification and thus
> produce the single SDID (or an error).
Or (c) the whole message isn't part of DKIM payload.
The answer is (c).
> OpenDKIM certainly implements the first definition I've used above at
> its API level, though I could argue that it satisfies either of the two
> definitions and just happens to do the latter one in a parallel way.
I suspect what you've just said is that OpenDKIM can process multiple
signatures and deliver a list of validated domain names.
This is one more demonstration of the difference between a protocol and
an API...
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
