On August 9, 2005 at 15:42, Michael Thomas wrote: > > This is precisely what DKIM does. It is the domain administrator who defin > es > > the DNS records used by DKIM and DKIM's granularity of the validated identi > ty is > > a domain name. > > That is not correct. The local part of the i= is intended to > provide a binding to the local part of outside origination > headers, not just the domain part. Which is why it is, > in fact, a primary goal.
The setting of i= is under the control of the signing agent, which does not have to be the author/sender. If I understand Dave's (and some others) view of DKIM, it is the domain owner who has the control of setting i= (via the domain owner's signing process). The granularity of the value of i= is solely up to the domain owner and the internal (security) policies it defines when signing messages submitted by the domain owner's users. The only way the author/sender has control over i=, is if they have control over DKIM signing software and are themselves the domain owner (or have an agreement with the domain owner to control the signing process). But here, the whole signing/verification process is still domain-based. As DKIM is currently defined, the i= tag must also be a sub-domain of the d= tag. Therefore, the "identity" of the user is determined by the domain owner and not the author/sender. The strength of the identity specified in i= is completely up to the domain owner, and only has meaning to the domain owner. As noted in the DKIM draft, the value of i= may not represent any address value in a message header (e.g. rfc2822.from/sender). Independent of the merits of DKIM, I think it helps to view it (and other competing proposals) on who has control over the signing process (and to a lesser extent the verification process). This helps to determine where accountability lies for a particular mail message. In DKIM, the domain owner has ultimate control over the signing process, not authors/senders. Therefore, it is the domain owner who has ultimate accountability. --ewh _______________________________________________ ietf-dkim mailing list [email protected] http://mipassoc.org/mailman/listinfo/ietf-dkim
