At 11:02 30-03-2009, DKIM Chair wrote: >What we need to do by the end of the week is this: > >1. Decide whether the gist of Jim's proposal is something we can >accept, whether >or not it would be our first preference? John, for example, has >said that it's >not his preference, but he considers it "harmless", and, therefore, >acceptable. > >1.5. For those who think we really need ADSP to use i= or something >like it, can >you *accept* taking i= out for now, in the interest of moving ahead with the >spec, possibly to add i= or something like it back in through an >extension later >if experience shows us that you're right?
This issue was discussed within this WG in 2007. There was also a discussion about whether "SSP" is appropriate. ADSP was chosen as it is a signing practice advertised by the Author Domain. The Author is what is in the From: header field. Granularity is one of the features offered by DKIM to restrict what signing address can be used. What constitutes a signing address is left to local policy. If we are using ADSP, we can, for example, match against the From: header field. People can put anything in the i= tag. We have seen that being done in practice. The effect is that it may not match the email address in the From: header field. One of the interesting features of the i= tag is that it can be used for subdomains. This means that I can have one public key under example.com and reuse it for my subdomains. Some people may argue that I could use a CNAME RR to point the subdomains to the public key. That requires changes to DNS. Most of us may find that trivial but it is complicated for DKIM users as DNS may be handled by a different entity. My preference is not to take out the i= tag. I think that the i= tag value should be used for the ADSP match. If two parties want to use the i= tag for their local purposes, they can use an extension tag. I only have to know what the value represents if there is a specification for it. I prefer to see the note at the end of Section 2 of draft-ietf-dkim-ssp-09 removed. Most users will not do multiple signatures because they see it as complex and because of the overhead. If people want to use ADSP, keep it simple by telling them what signature constitutes a valid Author Signature. When you say that "ADSP incompatible with valid DKIM usage ...", people will register the word "incompatibility" and view valid DKIM usage as mostly about third party signatures. I find it difficult to comment on this point alone as the issues are intertwined. The arguments by both sides open up questions about the concepts. Regards, -sm _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html