On Mar 24, 2008, at 10:00 PM, Jim Fenton wrote: > Section 4.3, "The Selector Construct", talks quite a bit about > identities for doing assessments. Other than the point that it > makes in the section beginning NOTE:, none of this has anything to > do with selectors. Furthermore, I consider it premature to define > the identity(-ies) that might be used for assessments, not having > operational experience with this (although I do agree that making > assessments based on the selector is a Bad Idea). > > The last paragraph also suggests the use of different sub-domains > for d=, but does not point out that the author address must also > follow suit, otherwise the message may not be seen to be in > compliance with Signing Policy.
IMHO, signing policy should separate itself from constraints defined by RFC4871 regarding the scope of identities that can be associated with signatures. Signing Policy should be limited to whether a particular domain signs all of their messages, where which identities are associated with the signature is a separate issue. It is counter productive to have verifiers expend efforts policing the scope of identities included within a policy hierarchy extending to sub- domains. Is this really a problem that needs to be solved via signing policy. After all a parent domain is free to publish any records they wish, where DKIM unable to change that reality. > Specifically, I suggest the removal of all but the first sentence of > paragraph 1, and all of the last paragraph of the section. Disagree, this is perhaps one sentence that gets the link to a responsible entity right? -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
