draft-ietf-dkim-rfc4871-errata-05.txt   draft-ietf-dkim-rfc4871-errata-06.txt 
DKIM D. Crocker, Ed. DKIM D. Crocker, Ed.
Internet-Draft Brandenburg InternetWorking Internet-Draft Brandenburg InternetWorking
Updates: RFC4871 May 22, 2009 Updates: RFC4871 June 10, 2009
(if approved) (if approved)
Intended status: Standards Track Intended status: Standards Track
Expires: November 23, 2009 Expires: December 12, 2009
RFC 4871 DomainKeys Identified Mail (DKIM) Signatures -- Update RFC 4871 DomainKeys Identified Mail (DKIM) Signatures -- Update
draft-ietf-dkim-rfc4871-errata-05 draft-ietf-dkim-rfc4871-errata-06
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from IETF Standards Process. Without obtaining an adequate license from
skipping to change at page 1, line 44 skipping to change at page 1, line 44
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 23, 2009. This Internet-Draft will expire on December 12, 2009.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 24 skipping to change at page 2, line 24
Specifically the document clarifies the nature, roles and Specifically the document clarifies the nature, roles and
relationship of the two DKIM identifier tag values that are relationship of the two DKIM identifier tag values that are
candidates for payload delivery to a receiving processing module. candidates for payload delivery to a receiving processing module.
The Update is in the style of an Errata entry, albeit a rather long The Update is in the style of an Errata entry, albeit a rather long
one. one.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. RFC 4871 Abstract . . . . . . . . . . . . . . . . . . . . . . 3 2. RFC 4871 Abstract . . . . . . . . . . . . . . . . . . . . . . 3
3. RFC4871 Section 1. Introduction . . . . . . . . . . . . . . . 4 3. RFC4871 Section 1 Introduction . . . . . . . . . . . . . . . 4
4. RFC4871 Section 2.7 Identity . . . . . . . . . . . . . . . . . 4 4. RFC4871 Section 2.7 Identity . . . . . . . . . . . . . . . . 4
5. RFC4871 Section 2.8 Identifier . . . . . . . . . . . . . . . . 4 5. RFC4871 Section 2.8 Identifier . . . . . . . . . . . . . . . 4
6. RFC4871 Section 2.9 Signing Domain Identifier (SDID) . . . . . 4 6. RFC4871 Section 2.9 Signing Domain Identifier (SDID) . . . . 5
7. RFC4871 Section 2.10 Agent or User Identifier (AUID) . . . . . 5 7. RFC4871 Section 2.10 Agent or User Identifier (AUID) . . . . 5
8. RFC4871 Section 2.11 Identity Assessor . . . . . . . . . . . . 5 8. RFC4871 Section 2.11 Identity Assessor . . . . . . . . . . . 5
9. RFC4871 Section 3.5 The DKIM-Signature Header Field . . . . . 6 9. RFC4871 Section 3.5 The DKIM-Signature Header Field . . . . . 6
10. RFC4871 Section 3.5 The DKIM-Signature Header Field . . . . . 7 10. RFC4871 Section 3.5 The DKIM-Signature Header Field . . . . . 7
11. RFC4871 Section 3.8. Signing by Parent Domains . . . . . . . 9 11. RFC4871 Section 3.8 Signing by Parent Domains . . . . . . . . 9
12. RFC4871 Section 3.9 Relationship Between SDID and AUID . . . . 9 12. RFC4871 Section 3.9 Relationship Between SDID and AUID . . . 10
13. RFC4871 Section 6.3. Interpret Results/Apply Local Policy . . 10 13. RFC4871 Section 6.3 Interpret Results/Apply Local Policy . . 11
14. RFC4871 Section 6.3. Interpret Results/Apply Local Policy . . 11 14. RFC4871 Section 6.3 Interpret Results/Apply Local Policy . . 12
15. RFC4871 Appendix D. MUA Considerations . . . . . . . . . . . 11 15. RFC4871 Appendix D. MUA Considerations . . . . . . . . . . . 12
16. Security Considerations . . . . . . . . . . . . . . . . . . . 11 16. Security Considerations . . . . . . . . . . . . . . . . . . . 12
17. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 17. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
18. Normative References . . . . . . . . . . . . . . . . . . . . . 12 18. Normative References . . . . . . . . . . . . . . . . . . . . . 13
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 13
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
About the purpose for DKIM, [RFC4871] states: About the purpose for DKIM, [RFC4871] states:
The ultimate goal of this framework is to permit a signing domain The ultimate goal of this framework is to permit a signing domain
to assert responsibility for a message, thus protecting message to assert responsibility for a message, thus protecting message
signer identity... signer identity...
Hence, DKIM has a signer that produces a signed message, a verifier Hence, DKIM has a signer that produces a signed message, a verifier
skipping to change at page 3, line 42 skipping to change at page 3, line 42
interpretations of how DKIM operates. interpretations of how DKIM operates.
This update resolves this confusion. It defines new labels for the This update resolves this confusion. It defines new labels for the
two values, clarifies their nature, and specifies their relationship. two values, clarifies their nature, and specifies their relationship.
NOTE: The text provided here updates [RFC4871]. All references and NOTE: The text provided here updates [RFC4871]. All references and
all appearances of RFC-2119 keywords are replacing text in RFC all appearances of RFC-2119 keywords are replacing text in RFC
4871. Hence those references are in that document and are not 4871. Hence those references are in that document and are not
needed here. needed here.
2. RFC 4871 Abstract The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]
2. RFC 4871 Abstract
Original Text: Original Text:
The ultimate goal of this framework is to permit a signing domain The ultimate goal of this framework is to permit a signing domain
to assert responsibility for a message, to assert responsibility for a message,
Corrected Text: Corrected Text:
The ultimate goal of this framework is to permit a person, role or The ultimate goal of this framework is to permit a person, role or
organization that owns the signing domain to assert responsibility organization that owns the signing domain to assert responsibility
for a message, for a message,
3. RFC4871 Section 1. Introduction 3. RFC4871 Section 1 Introduction
Original Text: Original Text:
...permitting a signing domain to claim responsibility ...permitting a signing domain to claim responsibility
Corrected Text: Corrected Text:
permitting a person, role or organization that owns the signing permitting a person, role or organization that owns the signing
domain to claim responsibility domain to claim responsibility
4. RFC4871 Section 2.7 Identity 4. RFC4871 Section 2.7 Identity
Original Text: Original Text:
(None. Additional text.) (None. New section. Additional text.)
Corrected Text: Corrected Text:
A person, role or organization. In the context of DKIM, examples A person, role or organization. In the context of DKIM, examples
include author, author's organization, an ISP along the handling include author, author's organization, an ISP along the handling
path, an independent trust assessment service, and a mailing list path, an independent trust assessment service, and a mailing list
operator. operator.
5. RFC4871 Section 2.8 Identifier 5. RFC4871 Section 2.8 Identifier
Original Text: Original Text:
(None. Additional text.) (None. New section. Additional text.)
Corrected Text: Corrected Text:
A label that refers to an identity. A label that refers to an identity.
6. RFC4871 Section 2.9 Signing Domain Identifier (SDID) 6. RFC4871 Section 2.9 Signing Domain Identifier (SDID)
Original Text: Original Text:
(None. Additional text.) (None. New section. Additional text.)
Corrected Text: Corrected Text:
A single domain name that is the mandatory payload output of DKIM A single domain name that is the mandatory payload output of DKIM
and that refers to the identity claiming responsibility for and that refers to the identity claiming responsibility for
introduction of a message into the mail stream. For DKIM introduction of a message into the mail stream. For DKIM
processing, the name has only basic domain name semantics; any processing, the name has only basic domain name semantics; any
possible owner-specific semantics are outside the scope of DKIM. possible owner-specific semantics are outside the scope of DKIM.
It is specified in section 3.5. It is specified in section 3.5.
7. RFC4871 Section 2.10 Agent or User Identifier (AUID) 7. RFC4871 Section 2.10 Agent or User Identifier (AUID)
Original Text: Original Text:
(None. Additional text.) (None. New section. Additional text.)
Corrected Text: Corrected Text:
A single identifier that refers to the agent or user on behalf of A single identifier that refers to the agent or user on behalf of
whom the SDID has taken responsibility. The AUID comprises a whom the SDID has taken responsibility. The AUID comprises a
domain name and an optional <Local-part>. The domain name is the domain name and an optional <Local-part>. The domain name is the
same as that used for the SDID or is a sub-domain of it. For DKIM same as that used for the SDID or is a sub-domain of it. For DKIM
processing, the domain name portion of the AUID has only basic processing, the domain name portion of the AUID has only basic
domain name semantics; any possible owner-specific semantics are domain name semantics; any possible owner-specific semantics are
outside the scope of DKIM. It is specified in section 3.5. outside the scope of DKIM. It is specified in section 3.5.
8. RFC4871 Section 2.11 Identity Assessor 8. RFC4871 Section 2.11 Identity Assessor
Original Text: Original Text:
(None. Additional text.) (None. New section. Additional text.)
Corrected Text: Corrected Text:
A module that consumes DKIM's mandatory payload, which is the A module that consumes DKIM's mandatory payload, which is the
responsible Signing Domain Identifier (SDID). The module is responsible Signing Domain Identifier (SDID). The module is
dedicated to the assessment of the delivered identifier. Other dedicated to the assessment of the delivered identifier. Other
DKIM (and non-DKIM) values can also be delivered to this module as DKIM (and non-DKIM) values can also be delivered to this module as
well as to a more general message evaluation filtering engine. well as to a more general message evaluation filtering engine.
However, this additional activity is outside the scope of the DKIM However, this additional activity is outside the scope of the DKIM
signature specification. signature specification.
skipping to change at page 6, line 24 skipping to change at page 6, line 27
When presented with a signature that does not meet these When presented with a signature that does not meet these
requirement, verifiers MUST consider the signature invalid. requirement, verifiers MUST consider the signature invalid.
Internationalized domain names MUST be encoded as described in Internationalized domain names MUST be encoded as described in
[RFC3490]. [RFC3490].
ABNF: ABNF:
sig-d-tag = %x64 [FWS] "=" [FWS] domain-name sig-d-tag = %x64 [FWS] "=" [FWS] domain-name
domain-name = sub-domain 1*("." sub-domain) domain-name = sub-domain 1*("." sub-domain)
; from RFC 2821 Domain, but excluding address-literal ; from RFC 2821 Domain,
but excluding address-literal
Corrected Text: Corrected Text:
d= d=
Specifies the SDID claiming responsibility for an introduction Specifies the SDID claiming responsibility for an introduction
of a message into the mail stream (plain-text; REQUIRED). This of a message into the mail stream (plain-text; REQUIRED).
is the domain that will be queried for the public key. The Hence the SDID value is used to form the query for the public
SDID MUST correspond to a valid DNS name under which the DKIM key. The SDID MUST correspond to a valid DNS name under which
key record is published. The conventions and semantics used by the DKIM key record is published. The conventions and
a signer to create and use a specific SDID are outside the semantics used by a signer to create and use a specific SDID
scope of the DKIM Signing specification, as is any use of those are outside the scope of the DKIM Signing specification, as is
conventions and semantics. When presented with a signature any use of those conventions and semantics. When presented
that does not meet these requirements, verifiers MUST consider with a signature that does not meet these requirements,
the signature invalid. verifiers MUST consider the signature invalid.
Internationalized domain names MUST be encoded as described in Internationalized domain names MUST be encoded as described in
[RFC3490]. [RFC3490].
ABNF: ABNF:
sig-d-tag = %x64 [FWS] "=" [FWS] domain-name sig-d-tag = %x64 [FWS] "=" [FWS] domain-name
domain-name = sub-domain 1*("." sub-domain) domain-name = sub-domain 1*("." sub-domain)
; from RFC 2821 Domain, but excluding ; from RFC 5321 Domain,
address-literal but excluding address-literal
10. RFC4871 Section 3.5 The DKIM-Signature Header Field 10. RFC4871 Section 3.5 The DKIM-Signature Header Field
Original Text: Original Text:
i= Identity of the user or agent (e.g., a mailing list manager) on i= Identity of the user or agent (e.g., a mailing list manager) on
behalf of which this message is signed (dkim-quoted-printable; behalf of which this message is signed (dkim-quoted-printable;
OPTIONAL, default is an empty Local-part followed by an "@" OPTIONAL, default is an empty Local-part followed by an "@"
followed by the domain from the "d=" tag). The syntax is a followed by the domain from the "d=" tag). The syntax is a
standard email address where the Local-part MAY be omitted. The standard email address where the Local-part MAY be omitted. The
domain part of the address MUST be the same as or a subdomain of domain part of the address MUST be the same as or a subdomain of
the value of the "d=" tag. the value of the "d=" tag.
Internationalized domain names MUST be converted using the steps Internationalized domain names MUST be converted using the steps
listed in Section 4 of [RFC3490] using the "ToASCII" function. listed in Section 4 of [RFC3490] using the "ToASCII" function.
ABNF: ABNF:
sig-i-tag = sig-i-tag = %x69 [FWS] "=" [FWS]
%x69 [FWS] "=" [FWS] [ Local-part ] "@" domain-name [ Local-part ] "@" domain-name
INFORMATIVE NOTE: The Local-part of the "i=" tag is optional INFORMATIVE NOTE: The Local-part of the "i=" tag is optional
because in some cases a signer may not be able to establish a because in some cases a signer may not be able to establish a
verified individual identity. In such cases, the signer may verified individual identity. In such cases, the signer may
wish to assert that although it is willing to go as far as wish to assert that although it is willing to go as far as
signing for the domain, it is unable or unwilling to commit signing for the domain, it is unable or unwilling to commit
to an individual user name within their domain. It can do so to an individual user name within their domain. It can do so
by including the domain part but not the Local-part of the by including the domain part but not the Local-part of the
identity. identity.
skipping to change at page 9, line 5 skipping to change at page 9, line 46
INFORMATIVE NOTE: The Local-part of the "i=" tag is optional INFORMATIVE NOTE: The Local-part of the "i=" tag is optional
because in some cases a signer may not be able to establish a because in some cases a signer may not be able to establish a
verified individual identity. In such cases, the signer might verified individual identity. In such cases, the signer might
wish to assert that although it is willing to go as far as wish to assert that although it is willing to go as far as
signing for the domain, it is unable or unwilling to commit to signing for the domain, it is unable or unwilling to commit to
an individual user name within their domain. It can do so by an individual user name within their domain. It can do so by
including the domain part but not the Local-part of the including the domain part but not the Local-part of the
identity. identity.
11. RFC4871 Section 3.8. Signing by Parent Domains 11. RFC4871 Section 3.8 Signing by Parent Domains
Original Text: Original Text:
e.g., a key record for the domain example.com can be used to verify e.g., a key record for the domain example.com can be used to verify
messages where the signing identity ("i=" tag of the signature) is messages where the signing identity ("i=" tag of the signature) is
sub.example.com, or even sub1.sub2.example.com. In order to limit sub.example.com, or even sub1.sub2.example.com. In order to limit
the capability of such keys when this is not intended, the "s" flag the capability of such keys when this is not intended, the "s" flag
may be set in the "t=" tag of the key record to constrain the may be set in the "t=" tag of the key record to constrain the
validity of the record to exactly the domain of the signing identity. validity of the record to exactly the domain of the signing identity.
If the referenced key record contains the "s" flag as part of the If the referenced key record contains the "s" flag as part of the
skipping to change at page 9, line 36 skipping to change at page 10, line 32
limit the capability of such keys when this is not intended, the limit the capability of such keys when this is not intended, the
"s" flag MAY be set in the "t=" tag of the key record, to "s" flag MAY be set in the "t=" tag of the key record, to
constrain the validity of the domain of the AUID. If the constrain the validity of the domain of the AUID. If the
referenced key record contains the "s" flag as part of the "t=" referenced key record contains the "s" flag as part of the "t="
tag, the domain of the AUID ("i=" flag) MUST be the same as that tag, the domain of the AUID ("i=" flag) MUST be the same as that
of the SDID (d=) domain. If this flag is absent, the domain of of the SDID (d=) domain. If this flag is absent, the domain of
the AUID MUST be the same as, or a subdomain of, the SDID. the AUID MUST be the same as, or a subdomain of, the SDID.
12. RFC4871 Section 3.9 Relationship Between SDID and AUID 12. RFC4871 Section 3.9 Relationship Between SDID and AUID
Original Text: (None. This is an addition.) Original Text: (None. New section. Additional text.)
Corrected Text: Corrected Text:
DKIM's primary task is to communicate from the Signer to a DKIM's primary task is to communicate from the Signer to a
recipient-side Identity Assessor a single Signing Domain recipient-side Identity Assessor a single Signing Domain
Identifier (SDID) that refers to a responsible identity. DKIM MAY Identifier (SDID) that refers to a responsible identity. DKIM MAY
optionally provide a single responsible Agent or User Identifier optionally provide a single responsible Agent or User Identifier
(AUID). (AUID).
Hence, DKIM's mandatory output to a receive-side Identity Assessor Hence, DKIM's mandatory output to a receive-side Identity Assessor
skipping to change at page 10, line 18 skipping to change at page 11, line 14
communicate the Agent or User Identifier (i=) if present. communicate the Agent or User Identifier (i=) if present.
To the extent that a receiver attempts to intuit any structured To the extent that a receiver attempts to intuit any structured
semantics for either of the identifiers, this is a heuristic semantics for either of the identifiers, this is a heuristic
function that is outside the scope of DKIM's specification and function that is outside the scope of DKIM's specification and
semantics. Hence it is relegated to a higher-level service, such semantics. Hence it is relegated to a higher-level service, such
as a delivery handling filter that integrates a variety of inputs as a delivery handling filter that integrates a variety of inputs
and performs heuristic analysis of them. and performs heuristic analysis of them.
INFORMATIVE DISCUSSION: This document does not require the value INFORMATIVE DISCUSSION: This document does not require the value
of the SDID or AUID to match the identity in any message header of the SDID or AUID to match the identifier in any other message
fields. This is considered to be an assessor policy issue. header field. This requirement is, instead, an assessor policy
Constraints between the value of the SDID or AUID and other issue. The purpose of such a linkage would be to authenticate the
identities in other header fields seek to apply basic value in that other header field. This, in turn, is the basis for
authentication into the semantics of trust associated with a role applying a trust assessment based on the identifier value. Trust
such as content author. Trust is a broad and complex topic and is a broad and complex topic and trust mechanisms are subject to
trust mechanisms are subject to highly creative attacks. The highly creative attacks. The real-world efficacy of any but the
real-world efficacy of any but the most basic bindings between the most basic bindings between the SDID or AUID and other identities
SDID or AUID and other identities is not well established, nor is is not well established, nor is its vulnerability to subversion by
its vulnerability to subversion by an attacker. Hence reliance on an attacker. Hence reliance on the use of such bindings should be
the use of these options should be strictly limited. In strictly limited. In particular, it is not at all clear to what
particular, it is not at all clear to what extent a typical end- extent a typical end-user recipient can rely on any assurances
user recipient can rely on any assurances that might be made by that might be made by successful use of the SDID or AUID.
successful use of the SDID or AUID.
13. RFC4871 Section 6.3. Interpret Results/Apply Local Policy 13. RFC4871 Section 6.3 Interpret Results/Apply Local Policy
Original Text: Original Text:
It is beyond the scope of this specification to describe what actions It is beyond the scope of this specification to describe what actions
a verifier system should make, but an authenticated email presents an a verifier system should make, but an authenticated email presents an
opportunity to a receiving system that unauthenticated email cannot. opportunity to a receiving system that unauthenticated email cannot.
Specifically, an authenticated email creates a predictable identifier Specifically, an authenticated email creates a predictable identifier
by which other decisions can reliably be managed, such as trust and by which other decisions can reliably be managed, such as trust and
reputation. Conversely, unauthenticated email lacks a reliable reputation. Conversely, unauthenticated email lacks a reliable
identifier that can be used to assign trust and reputation. identifier that can be used to assign trust and reputation.
skipping to change at page 11, line 9 skipping to change at page 12, line 5
Corrected Text: Corrected Text:
It is beyond the scope of this specification to describe what It is beyond the scope of this specification to describe what
actions an Identity Assessor can make, but mail carrying a actions an Identity Assessor can make, but mail carrying a
validated SDID presents an opportunity to an Identity Assessor validated SDID presents an opportunity to an Identity Assessor
that unauthenticated email does not. Specifically, an that unauthenticated email does not. Specifically, an
authenticated email creates a predictable identifier by which authenticated email creates a predictable identifier by which
other decisions can reliably be managed, such as trust and other decisions can reliably be managed, such as trust and
reputation. reputation.
14. RFC4871 Section 6.3. Interpret Results/Apply Local Policy 14. RFC4871 Section 6.3 Interpret Results/Apply Local Policy
Original Text: Original Text:
Once the signature has been verified, that information MUST be Once the signature has been verified, that information MUST be
conveyed to higher-level systems (such as explicit allow/whitelists conveyed to higher-level systems (such as explicit allow/whitelists
and reputation systems) and/or to the end user. If the message is and reputation systems) and/or to the end user. If the message is
signed on behalf of any address other than that in the From: header signed on behalf of any address other than that in the From: header
field, the mail system SHOULD take pains to ensure that the actual field, the mail system SHOULD take pains to ensure that the actual
signing identity is clear to the reader. signing identity is clear to the reader.
skipping to change at page 12, line 11 skipping to change at page 13, line 7
Clarification of these details is likely to limit misinterpretation Clarification of these details is likely to limit misinterpretation
of DKIM's semantics. Since DKIM is fundamentally a security of DKIM's semantics. Since DKIM is fundamentally a security
protocol, this should improve its security characteristics. protocol, this should improve its security characteristics.
17. IANA Considerations 17. IANA Considerations
This document has no actions for IANA. This document has no actions for IANA.
18. Normative References 18. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
"Internationalizing Domain Names in Applications (IDNA)",
RFC 3490, March 2003.
[RFC4871] Allman, E., Callas, J., Delany, M., Libbey, M., Fenton, [RFC4871] Allman, E., Callas, J., Delany, M., Libbey, M., Fenton,
J., and M. Thomas, "DomainKeys Identified Mail (DKIM) J., and M. Thomas, "DomainKeys Identified Mail (DKIM)
Signatures", RFC 4871, May 2007. Signatures", RFC 4871, May 2007.
Appendix A. Acknowledgements Appendix A. Acknowledgements
This document was initially formulated by an ad hoc design team, This document was initially formulated by an ad hoc design team,
comprising: Jon Callas, D. Crocker, J. D. Falk, Michael Hammer, Tony comprising: Jon Callas, D. Crocker, J. D. Falk, Michael Hammer, Tony
Hansen, Murray Kucherawy, John Levine, Jeff Macdonald, Ellen Siegel Hansen, Murray Kucherawy, John Levine, Jeff Macdonald, Ellen Siegel
and Wietse Venema. The final version of the document was developed and Wietse Venema. The final version of the document was developed
 End of changes. 27 change blocks. 
58 lines changed or deleted 70 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/