Eliot Lear wrote:
John Levine wrote:
The other alternative to squeezing bits in a DNS record is providing a
redirect to another service.
Sure, but now you have the extra cost of another transaction. If you're
going to do that, you might as well invent another q= lookup scheme,
probably via HTTP, and use it directly.
Right... this is really where I was aiming.
It seems to me that since DKIM signatures are expected to have short
lifetimes and to have only moderate value, and that we've established
quite thoroughly that there is not yet an obvious successor to SHA-1,
it would be OK simply to note that we'll need something more secure in
the future and leave it at that.
How many times do you want to do this?!
<<Apologies for my last posting; I responded to the second paragraph's focus on
algorithm agility, rather than the first paragraph's suggestion of an alternate
I think the answer is: once, and we want to wait as long as possible, before
trying to create that additional infrastructure.
This was one of the main points of differentiation between domainkeys and
identified internet mail. The dominant feeling is that creating a new query
service infrastructure is a very, very high barrier to entry.
NOTE WELL: This list operates according to