Re: DKIM: Key revocation

On Jul 14, 2005, at 11:29 PM, <domainkeys-feedbackbase02(_at_)yahoo(_dot_)com>wrote:

--- Earl Hood <earl(_at_)earlhood(_dot_)com> wrote:
There should be some way to indicate that a key has been revoked.
It seems right now, revocation is indirect, by removing theappropriate
DNS entry.  However, a verifier does not know if the key was revoked,
temporarily unavailable, or never existed.
Hmm. I'll have to swing back on the draft, but at one stage theplan was to usethe DK revocation method of continuing to advertise the Key RR withan empty
public key value.

Would that satisfy your concerns regarding explicit revocation?

Revocation could be seen related to the replay issue. When there isa large domain sharing the same key among many users, such keyrevocation creates problems. Having a key per-user creates differentand perhaps equally serious problems. Revocation by modifying orremoving the key also requires short TTLs for the DNS record, whichexacerbate the effect of using a large number of individual keys.

In the mass-reputation draft, I suggested the optional use of au=<revocation-identifier> in the signature header to provide twobenefits. One benefit would be for the reputation service, wherethere would be a means to identify abusive sources on the largedomain that consolidate any number of abusive messages, and to seethese accounts being handled by the providers. The other benefitprevents there being a conflict of interest with respect the sameindependent entity providing finger-prints on replay messages, anddomain reputations. The revocation-identifier would enable eachprovider to establish their own individual account revocations,without relying upon third-party threat information.

It is already common for providers to identify accounts using someopaque manner. Adding the u=revocation-identifier offers a means tostandardize this technique. This would enable a means to eradicateone of the most troubling problems plaguing email. There are methodsthat can both inhibit replay attacks and lessen the overhead neededto address the replay issue as well as protecting the network resources.


-Doug

<Prev in Thread]	Current Thread	[Next in Thread>
DKIM: t=SecondsSince1970, (continued) DKIM: t=SecondsSince1970, domainkeys-feedbackbase02 Re: DKIM: t=SecondsSince1970, Earl Hood Re: DKIM: t=SecondsSince1970, william(at)elan.net Re: DKIM: t=SecondsSince1970, Michael Thomas Re: DKIM: t=SecondsSince1970, Earl Hood Re: DKIM: t=SecondsSince1970, wayne Re: DKIM: t=SecondsSince1970, william(at)elan.net DKIM: Key revocation, domainkeys-feedbackbase02 Re: DKIM: Key revocation, Earl Hood Re: DKIM: Key revocation, Michael Thomas Re: DKIM: Key revocation, Douglas Otis <= Re: Feedback on DKIM draft (long), william(at)elan.net Re: Feedback on DKIM draft (long), Ned Freed Re: Feedback on DKIM draft (long), Dave Crocker Re: Feedback on DKIM draft (long), Douglas Otis Re: Feedback on DKIM draft (long), Ned Freed Re: Feedback on DKIM draft (long), Dave Crocker Re: Feedback on DKIM draft (long), Earl Hood DKIM: c=simple is aspirational, domainkeys-feedbackbase02 Re: DKIM: c=simple is aspirational, Earl Hood Re: DKIM: c=simple is aspirational, Ned Freed

Previous by Date:	Re: DKIM: t=SecondsSince1970, Earl Hood
Next by Date:	Re: MASS BOF Agenda and Proposed charter, Earl Hood
Previous by Thread:	Re: DKIM: Key revocation, Michael Thomas
Next by Thread:	Re: Feedback on DKIM draft (long), william(at)elan.net
Indexes:	[Date] [Thread] [Top] [All Lists]