On Apr 9, 2009, at 10:11 AM, J.D. Falk wrote: > Siegel, Ellen wrote: > >>> Informative Note: DKIM signatures by parent domains as described >>> in section 3.8 of [RFC4871] (in which a signer uses "i=" to assert >>> that it is signing for a subdomain) do not satisfy the >>> requirements for an Author Domain Signature as defined above. > [ . . . ] >> Works for me. > > +1 > > (I'd use commas instead of parentheses, but that's minor.)
IMHO, this is still wrong. The i= value should be _ignored_ when determining ADSP compliance. I'll try some examples. ,---- DKIM-Signature: ... d=foo.example.com; From: jon....@foo.example.com '---- #### This would be a first-party or Author Domain Signature. Note the lack of the i= value. ,---- DKIM-Signature: ... d=example.com; From: jon....@foo.example.com '---- #### This would not be a first-part or Author Domain Signature. Again note the lack of an i= value. ,---- DKIM-Signature: ... d=example.com; i...@foo.example.com From: jon....@example.com '---- #### This would be a first-part or Author Domain Signature. Although in conflict with the prior definition, use of a sub-domain in the i= value helps ensure against accidental collisions with a real email- addresses, when the i= value represents a token for the on-behalf-of identity. There is no reason for ADSP to facilitate parent domain signing. Parent domain ADSP assertions are impossible after all. Since each ADSP assertion MUST be made at the "_adsp._domainkey.email- address-domain TXT", creating a DNS entry at "<s=value>._domainkey.email-address-domain TXT" (which could point to a parent domain key using CNAME) represents only a minor effort. When it is too difficult to reference a key from the email-address domain, then don't make ADSP assertions at sub-domains intended to send and receive email. Here is one more attempt at redefining section 2.7. ,---- A valid first party signature or "Author Domain Signature" is a Valid Signature where the domain name in the DKIM signing domain (SDID) is the same as the Author Domain. Any sub-domain included within the i= value (AUID) will not affect ADSP compliance. Only email-address domains that reference the DKIM key can comply with ADSP assertions. '---- -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html