On Apr 7, 2009, at 1:58 PM, Siegel, Ellen wrote: > > Maybe something more like the following? > > "ADSP should not be used for domains that use "i=" values to enable > a parent domain to sign for a subdomain (as described in section 3.8 > of [RFC4871]) unless an additional signature where the "d=" domain > matches the "i=" domain is added."
Disagree. The proposed change in the ADSP Author Domain Signature definition is to allow the i= value to represent any sub-domain and/or any local-part within the domain. Unless further revised, the Author Signature definition still requires a valid DKIM signature applied by the Author Domain. In other words, the From email-address domain (Author Domain) and the SDID must be the the same. The current ADSP Author Signature definition in Section 2.7 states the following: ,--- An "author signature" is a Valid Signature that has the _same_ domain name in the DKIM signing identity as the domain name in the Author Address. '--- Dropping the i= value as a constraining issue was the goal. This can be done by striking the following in Section 2.7: ,--- If the DKIM signing identity has a Local-part, it is be identical to the Local-part in the Author Address. Following [RFC5321], Local-part comparisons are case sensitive, but domain comparisons are case insensitive. For example, if a message has a Valid Signature, with the DKIM- Signature field containing "i...@domain.example", then domain.example is asserting that it takes responsibility for the message. If the message's From: field contains the address "b...@domain.example", that would mean that the message does not have a valid Author Signature. Even though the message is signed by the same domain, it will not satisfy ADSP that specifies "dkim=all" or "dkim=discardable". Note: ADSP is incompatible with valid DKIM usage in which a signer uses "i=" with values that are not the same as addresses in mail headers. In that case, a possible workaround could be to add a second DKIM signature a "d=" value that matches the Author Address, but no "i=". '--- The following could be an appropriate note: Informative Note: A DKIM signing by parent domains as described in section 3.8 of [RFC4871] where a parent domain signs for a sub-domain within the From email-address will not represent an Author Domain Signature. ADSP requires the From email-address domain (Author Domain) and the signing domain (SDID) to be the same. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html