> -----Original Message----- > From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] > On Behalf Of Jim Fenton > Sent: Wednesday, October 13, 2010 2:34 PM > To: Barry Leiba > Cc: IETF DKIM WG > Subject: Re: [ietf-dkim] Last call comment: Changing the g= definition > > > 3.6.1.1. Compatibility Note for DomainKeys > > > > Key records for DKIM are backward-compatible with key records > > for the now-obsolete DomainKeys [RFC4870], except in one > > circumstance: DomainKeys interpreted an empty "g=" value to > > match any signing address ("i=" in the signature). In DKIM, that > > matching is done by "g=*", or by omitting "g=" and taking the > > default behaviour. An empty "g=" value in DKIM will match only > > empty "i=" values. > > > > If a key record uses an empty "g=" value and also uses "v=", > > the key record can be identified as belonging to DKIM, and the > > DKIM interpretation will be used. Absent a "v=" tag, though, > > the verifier cannot tell whether the signer intended the > > DomainKeys interpretation or the DKIM one. > > > > To avoid second-guessing in a security context, and because > > DomainKeys is an obsolete protocol, DKIM verifiers MUST > > interpret this situation in DKIM terms, matching only > > empty "i=" values.
A quick point of order here: This is based on errata #1532 which is "Held for Document Update". Are we free to change the proposed semantics that are described there, which do allow for a back-compatibility interpretation? _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html