On Apr 7, 2009, at 17:28, "Jim Fenton" <fen...@cisco.com> wrote:
> Siegel, Ellen wrote >>>> >>>> >>> >> >> [> ] >> >> I think it may be the "incompatible" that's causing the >> disagreement. ADSP is not incompatible with that signing >> configuration, it would just require that a second signature be >> added. >> >> Maybe something more like the following? >> >> "ADSP should not be used for domains that use "i=" values to enable >> a parent domain to sign for a subdomain (as described in section >> 3.8 of [RFC4871]) unless an additional signature where the "d=" >> domain matches the "i=" domain is added." >> > > Good thought, but since parent domain signing is largely to simplify > key > management (so that the public keys don't need to be published in each > subdomain), it's not necessary to apply a parent domain signature if a > signature where the d= value matches the actual From domain is also > applied. > > But you're right, "incompatible" may be a little harsh; I just > followed > John Levine's wording in -09. How about: > > Informative Note: DKIM signatures by parent domains as described in > section 3.8 of [RFC4871] (in which a signer uses "i=" to assert that > it is signing for a subdomain) do not satisfy the requirements for > an Author Domain Signature as defined above. > > -Jim > Works for me. Ellen _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html