On Wed, Dec 07, 2005 at 10:59:19AM +0100, Klaus Darilion wrote:
I wonder if it was ever considered to use the Domainkeys technology also
for other applications than email. For example I've implemented a
proof-of-concept implementation of Domainkeys for SIP:
http://openser.org/pipermail/devel/2005-November/001222.html
IMO domainkeys is a smart technology and can be used for more than
email. Of course, the signing/validation algorithm has to be adopted,
e.g. there is no Sender: header in SIP.
One important aspect of using domainkeys for other applications is the
coexistence of the several domainkeys applications without interference,
e.g. multiple domainkeys application can overlap in the DNS. Publishing
public keys under different domains should be no problem using different
selectors for each application. But I wonder about the policy record.
E.g. the policy record for DKIM is at:
_policy._domainkey.domain
There would be no need to prefix the policy with an underscore. One
misplaced underscore is enough to avoid stepping on other parts of the
DNS tree.
When an other application uses domainkeys, should the published policy
use another policy selector, e.g.
_sippolicy._domainkey.domain
or should the policies all be put in the same domain, but using a
certain tag-value pair to identify the service, e.g.:
_policy._domainkey.domain TXT "o=-;a=email"
_policy._domainkey.domain TXT "o=~;t=y;a=sip"
Without commenting on the rest, this approach is not as good as the
multiple selector approach as it is likely to lead to bloating the
response beyond the size of a UDP packet. Depending on the software
involved you may end up with some semi-random subset of the responses
or escalation to TCP access. Neither is a good thing.
Cheers,
Steve
_______________________________________________
ietf-dkim mailing list
http://dkim.org