On Nov 28, 2005, at 10:53 AM, Mark Delany wrote:
We still need to sub-type search to ensure that the returned CERT
RRset contains a DKIM cert unless we continue to insist on
namespace separation. I'm under the impression that this type of
sub-typing is not viewed favorably.
The sub-type could be seen as analogous to a version parameter. Due
to the size of these records, binary storage seems wholly
appropriate, and a TLV structure is extensible. A sub-type or
version mechanism seems inescapable, unless no further modifications
are expected.
By "full advantage", does this mean a "good actor's" use of
wildcards? Legitimate wildcard certs would make defending against a
DoS more problematic. The effect this could have on a DNS cache will
be significantly greater, but could not be readily excluded by name.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org