On Aug 1, 2006, at 5:29 PM, Michael Thomas wrote:
Actually this seems like a good point: it's a discovery marker much
more than policy marker. This sort of folds in with the nicety of
having this sort of stuff around for forensic purposes.
Is there any discovery related requirement here other than the
"must complete in deterministic number of steps" one that we all
seem to agree on?
At its core, policy can be a simple list of designated signing
domains and a flag indicating only designated signing domains are
used. An empty list and the flag not set would be a suitable default
to be assumed when nothing is published, or used to safely terminate
a search without prejudice.
When policy sets the flag indicating only designated signing domains
are used, the list of signing domains can exclude the 2822.From
domain and include others. If there are no other domains within the
list, then that would be equivalent to asserting that no mail should
be expected from this 2822.From domain. A statement "I sign nothing"
seems out of context for how this policy might be used. Signing
clearly overrides a statement of not signing.
A better statement to terminate a search would be "This 2822.From
domain uses non-designated domains" or in other words "This 2822.From
domain offers an empty list without a flag indicating exclusive use
of designated signing domains." By definition out of practical
consideration, non-designated domains may or may not employ DKIM.
After all, no protection would be lost. While there might some value
allowing a rather odd corner case the means to make an assertion
"invalid signatures of this domain are bogus because they should not
exist" this does not seem to merit the use of a flag however. I
could agree on asserting a non-prejudicial default as a means to
terminate a search, assuming that a search is needed.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
