Siegel, Ellen wrote: >> There remains some disagreement on whether the "informative note" >> contained in the last paragraph of the text I proposed on March 27 >> should appear in the ADSP draft. The note said: >> >> >>> Informative Note: ADSP is incompatible with DKIM signing by parent >>> domains described in section 3.8 of [RFC4871] in which a signer uses >>> "i=" to assert that a parent domain is signing for a subdomain. >>> >>> >> This would replace the Note in draft-ietf-dkim-ssp-09, section 2.7. >> >> Thus far, I feel it should be included and John Levine and Dave Crocker >> feel it shouldn't. May we have guidance from others in the Working >> Group, please? >> >> > > [> ] > > I think it may be the "incompatible" that's causing the disagreement. ADSP is > not incompatible with that signing configuration, it would just require that > a second signature be added. > > Maybe something more like the following? > > "ADSP should not be used for domains that use "i=" values to enable a parent > domain to sign for a subdomain (as described in section 3.8 of [RFC4871]) > unless an additional signature where the "d=" domain matches the "i=" domain > is added." >
Good thought, but since parent domain signing is largely to simplify key management (so that the public keys don't need to be published in each subdomain), it's not necessary to apply a parent domain signature if a signature where the d= value matches the actual From domain is also applied. But you're right, "incompatible" may be a little harsh; I just followed John Levine's wording in -09. How about: Informative Note: DKIM signatures by parent domains as described in section 3.8 of [RFC4871] (in which a signer uses "i=" to assert that it is signing for a subdomain) do not satisfy the requirements for an Author Domain Signature as defined above. -Jim _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
