On Apr 11, 2006, at 12:42 PM, william(at)elan.net wrote:
On Tue, 11 Apr 2006, Mark Delany wrote:
So the purpose of x= is to optimize corner-case DNS queries?
That is just one of the cases where they can be of use, you after
all asked for "specific value".
This is not a compelling reason. What percentage would this exclude
from further examination? .00001%?
It would also be good to have when you want to do more refined
security setup between two hosts.
Although I am still publishing the public key, do not consider it to
be from me?
For a security refinement, retire the key and achieve increased
security. Do not rely upon a message expiry parameter.
Even the informative note discounts a "security refinement" motive,
which sounds like double-speak for an abusive message replay defense.
Security Refinement: One may receive message replay abuse for 2
weeks, rather than for the period pending key retirement. The expiry
strategy offers little protection. When used as protection
(security), the problems a precision timed expiry may create increase.
Please don't consider DSNs someone else's concern. If there is a
problem, establish a mechanism to expunge the messages, and not have
them fall into a category where they might be rejected post up stream
acceptance.
x= base:
,---
| Signatures MUST NOT be considered valid if the current time at the
| verifier is past the expiration date. The value is expressed as
| an unsigned integer in decimal ASCII.
|...
| INFORMATIVE NOTE: The x= tag is not intended as an anti-replay
| defense.
'___
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html