On Wed, 10 Aug 2005 09:53:37 -0500, Arvel Hathcock wrote:
Suppose you get an unsigned message and DNS lookups fail for whatever
transient reason.
It is probably worth our considering how well or poorly DKIM works under
different modes of connectivity.
Some models require all participants to be online at the same time, with
continuous connectivity throughout the activity. A VOIP telephone call is an
example. (I tend to think that the Web is, too, but that's a more complicated
discussion, what with asynchronous publishing and proxies confusing things.)
Others tolerate highly asynchronous access and interrupted connectivity. Email
is the obvious example, but also note the Delay Tolerant Networking (formerly
Interplanetary Internetworking) effort as an extreme.
So, the issue you are raising is about the ability of the Validating Agent to
access the key server... ummmm, errrr... the DNS.... in real time. (Given that
DKIM rides on email, the model does not require that Signer and Validator be
online at the same time.)
I think that the only other real-time dependencies that the core email service
has on the DNS is the outbound process of finding MX records, and of course,
the
various receive-time SMTP server matchings of the incoming IP Address against
various DNS-based records.
This argues for doing key-retrieval by a component in the receiver's
Administrative Environment that operates with the same connectivity as the
receive-time SMTP server...
However it does not *require* it. There is nothing preventing validation from
being done by a component with highly discontinuous access that does not match
the access of the mail-receiving component. However it makes use of the
signature more challenging.
d/
---
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker a t ...
WE'VE MOVED to: www.bbiw.net
_______________________________________________
ietf-dkim mailing list
ietf-dkim(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/ietf-dkim