On Mon, 2006-07-31 at 23:25 -0400, Scott Kitterman wrote: > On Monday 31 July 2006 21:22, John Levine wrote: > >> I think this is the key issue then and we ought to focus on it. In > >> my view almost the entire point of a signing policy is constraining > >> whose signatures are considered authorized by the domain owner. > > > > I'm assuming that when you say authorized, you mean authoritative. > > (English definitely has its shortcomings.) > > I meant authorized, as I think the SSP concept is about authorization. > I can see where authoritative fits better as I wrote it. I'm not sure > there is a distinction between the two worth arguing about.
The last time policy was reviewed before starting to the base draft, the conclusion was that policy is not an authorization function, rather policy indicates what the identity uses or does. With that in mind, John's terminology of "authoritative" better reflects that view. Assume that the 2822.From domain indicates both the use of designated domains and non-designated domains. Assume also that by definition designated domains MUST employ DKIM, but that non-designated domains MAY employ DKIM. A designated domain might also be defined as being "authoritative" when it comes to concerns related whether the message is being replayed or whether the identity header is valid. The same policy may also indicate use of non-designated domains that are defined as "not authoritative." Your Authorization terminology is easily confused with what might be implied by "authoritative." For either the designated or non-designated domains, their indicated use might imply an "authorization of use" when viewing policy as an authorization function. It seems better to avoid referring to policy as "authorization" to keep the terminology consistent and what is being indicated clear. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
