By optional augmentation, I had something in mind along the
lines of where this thread started; namely optional fetches
for reputation/accreditation. For that part, I could support
an xkms-type fetch.
I see two near term applications:
1) At an edge signer q=dns,xkms
The edge signer provides the key through multiple key retrieval
mechanisms. This allows signature verification by clients that only
support DNS. Verifiers that support XKMS in addition may obtain
additional key attributes, verify the signature beyond the expiry of the
DNS record etc.
2) As an end to end signature in addition to edge signature
The originating email client signs the message using q=xkms, the
edge signer then adds a q=dns edge signature. This allows for end to end
security.
The main reason one would only use q=xkms without a DNS fallback in this
circumstance would be precisely to ensure that the signatures are not
interpreted by incomming edge servers.