I think we all agree that the goal is to define or create a scheme in
which senders can put signatures on mail messages and recipients can
verify them. The recipients need some way to fetch the verification
key. Do all the schemes use DNS for that, or are there others?
A point to consider: Information in the DNS can always be obtained from
elsewhere. The DNS might contain the 'master' copy, or it might contain
a 'secondary' copy. In any event, schemes do better when they
distinguish between the information that is needed, versus how it is
obtained. This permits obtaining it through alternative mechanisms.
It is my impression that one large vendor prefers to to verification
and perhaps signing in the MUA, while all the rest prefer the MTA.
Another point to consider: An architecture that presumes implementation
in the infrastructure cannot be implemented at the endpoints. An
architecture that presumes implementation at the endpoints often can
have infrastructure agents implement them "on behalf of" the endpoints.
Dave Crocker <mailto:dcrocker-at-brandenburg-dot-com>
Brandenburg InternetWorking <http://brandenburg.com>