ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] draft-allman-dkim-{base,ssp}-01.txt

2005-10-26 01:26:43

On Wed, 26 Oct 2005, Stephen Farrell wrote:

That I think is a fair enough point and worth discussing. (As might
be whether or not to allow an option for public keys to be included
with signatures.)

Please do (discuss it at the very least).

OTOH it seems that there should be a benefit to
using DNS to move the keys and policy data if its done well, since
it does provide a somewhat out-of-band channel (generally good in
security) as well as potential ways to choke back on misbehaviour
(which can be both good and dangerous).

Out-band channel makes one system dependent more heavily on another system, which means the security strength of total system is cumulative and thus smaller then either one.

Besides do note that no matter how you do you end-up having to move the same data - you just rearranged who does it moving it off your [protocol] back to someone else's - this is not at all nice behavior and result of DKIM could be increase of size of data carried by dns by 100% or more. So in this case you also have to consider if where you moved it to is a system well suited for moving such data and how much of a problem it could be and from what we know so far DNS really works very well with small constant size data pieces as its database values but is not very good when such data is large and comes close to its UDP limit.

Additionally note that security depends on size of public key used
and if attacks on pki protocols continue and with increase of Moore's
low predicted computing resources, we'd end-up having to increase size
of public keys and you're already at the limit with DNS with current
size and little or no way to do it further.

A much better approach is to put always small and fixed-size value of
fingerprints in dns and let public keys be handled together with other
mail data as SMTP is already designed for moving significant amounts
of data and this increase would not have any major impact on it.

--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net
_______________________________________________
ietf-dkim mailing list
http://dkim.org