william(_at_)elan(_dot_)net said:
So if say we have porkhash but for verification is somehow done through
dns server. Then you would have no problem?
Yep -- there's nothing saying the verification server can't respond
via DNS queries. The only issues I'd see would be (a) max size of DNS
query packets (the query has to contain the sender_id data, which could
be an entire Received header), and (b) current DNS server software does
not have an easily-extensible design for dynamic responses (a la HTTP's
CGI).
DNS would definitely be more lightweight, in terms of network traffic
and latency, though.
Also, regarding cachability. Note that the verification query operation
uses the following data:
- sender_id (usually email addr?)
- timestamp
- opaque_md5_sum = md5(sender_id, timestamp, secretkey)
For each unique message, regardless of which recipient is doing the query,
those pieces of data will not change; so the response is cacheable.
Also worth noting that in the original design, there's no state held on
the verification server, apart from the shared secret. So a farm of
verification servers (whether using DNS as the transport or not), can be
used to deal with heavy load. (adding state, such as a db of valid
Message-Ids, would complicate this of course.)
--j.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg