On Fri, 5 Aug 2005, Andrew Newton wrote:
DKIM needs to have a good story regarding defense of replay. However, I'm
now less convinced of Doug's revocation ID idea. It almost seems that replay
can be detected just by monitoring the number of queries against a user key.
The problem are those user keys. Yes you could use that, but its
incredebly bad for dns stability (this comes back to the whole point
that public keys in dns is bad and user public keys makes it 10x worse)
where as simple A lookups based on unique id in the signature is fairly
low overhead (but it does mean extra dns lookup).
This would be especially true if the other key retrieval methods are
used for user keying.
Correct. Then dns revocation is not as useful.