On Wed, 5 Apr 2006, Werner Koch wrote:
DKIM just doesn't work - at least not as described in the I-D I am
aware of. The canonicalization rules needed for MIME are broken
Can you explain in what way that is so?
and may be used to inject a faked message within a DKIM signed one. The
recipient (or MTA) will see that the mail verified okay but the actual
content shown is the faked one. See Thomas Roessler's "noswp
I think this is actually fixed in latest spec.
And it shares most of the same problems in this respect with
DKIM, if you try to push DKIM to process data at the individual level
as opposed to the domain level.
Very highly non-scalable.
I doubt that. A PKA record like
can be squeezed into less that 32 bytes with a dedicated RR type.
I've tried to lobby (at DKIM and MASS lists) that fingerprints are much
better suited (then full public key) for dns-based PKI system because of
their fixed and small size many times. Unfotunetly people there due
to political agreements are not interested in listening (yahoo insists
on public key in dns as the only way or otherwise they would not
BTW what you have above is pretty much what I listed at META Signatures
specification. There it is actually using SPF as placeholder for
v=spf1 ... fp1=A4D94E92B0986AB5EE9DCD755DE249965B0358A2
If you don't want to use general keyservers, add the space for an URL.
The latter may even be optimized by extending the system to define URL
shortcuts like looking up the default key distribution method of the
domain (e.g. by using HTTP).
Why bother? Just specify entire URL directly as part of the signature
itself. In DNS you just need to verify that the keyserver is authorized
to provide PKI info for that domain. That can be done with SRV record
or you can kind-of encode it directly as part of hostname, i.e.
can be considered an authorized keyserver for domain.com because its
host in reserved subdomain of domain.com
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com