Michael,
I think that if "CA" meant "central authority" rather than
"certificate authority", it would probably be appropriate.
There are all sorts of ways of changing what Eric said, to make it accurate,
relevant and useful.
Certainly DKIM uses domain names registrations and initially (and perhaps
forever) relies on querying for key information by using the operational DNS.
Yes, the DNS is a central service.
It might well help public understanding to make the distinction between using
the operational DNS and using some other third-party service.
However, I'll suggest that the way to get there is not through a simple
nomenclature change.
DKIM does not require the operation of new infrastructure. DKIM uses domain
names registrations, to provide unique identifications. DKIM initially uses
records added to the operational DNS to distribute public keys. DKIM uses the
relationship between the owner/administrator of the domain name and the location
of the key information, in the DNS, to establish self-certification of the key
information.
Given the history of Internet deployment of CA services, what DKIM is doing is
fundamentally different.
Whether this means that "no third party service" is used or whether the wording
should be more subtle, is a reasonable question. Those uncomfortable with the
language probably ought to suggest an alternative.
But it doesn't, and CA brings in all kinds of baggage mostly
from the "certificate" side. If I understand things correctly,
DNSSEC doesn't require use of "certificates".
Your understandng is corret.
And yes, that does make Eric's "criticism" even more curious, doesn't it?
d/
--
Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html