On Mon, 2006-08-21 at 22:29 -0400, Wietse Venema wrote: > Douglas Otis: > > When Big-Bank.com is coerced into using subdomains to partition their > > messages, their customers will see more complex domain names within > > the email-addresses and might become confused by what they see. > > > > Perhaps this might be subdomains like: > > > > [EMAIL PROTECTED] > > [EMAIL PROTECTED] > > [EMAIL PROTECTED] > > [EMAIL PROTECTED] > > [EMAIL PROTECTED] > > etc. > > No, the SIGNER uses different d= domains in the signature HEADER.
When DKIM fails to offer a means to assure the validity of the 2822.From address, then an important goal has been missed. The use of a subdomain for signing removes an ability to indicate with the i= syntax that the 2822.From is assured to be valid. It is possible to list a subdomain (or any other domain) as a designated domain within the 2822.From policy. This policy could assert the listed designated domains assure the 2822.From addresses are valid ("as-if" they were a 1st Party domain). In this case however, accessing policy is required to obtain an assurance the 2822.From is valid. : ( On the other hand, a convention using the s= selector still allows a means to partition the domain, allow the signature to directly make an assertion that the 2822.From is valid, and offer multiple keys per d=domain. This is achieved without needing to obtain policies or altering the email-address. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html