Hector,
I'm having trouble here:
From the innocent verifier standpoint, its goal in DKIM might include:
- Address the malicious transaction problem,
How, and why is this the best method (as opposed to either removing the
selector from DNS or having the x= value within the key record itself)?
- Quickly disseminate the bad from the good,
Again, how? And I don't think you meant disseminate, but discriminate.
Does a message suddenly become "bad" because the signature expired? And
what do we mean by "bad" here? If it is because the key will likely be
cracked over some period of time, wouldn't a verifier understand this
based on the key type, and why would it distinguish one domain from
another in this case? If it is not because the key is cracked, then we
are into non-repudiation which is out of scope.
- Reduce overhead,
You're talking about DNS queries? I'm not sure I see it. I would
expect the VAST majority of queries to occur within days if not minutes.
- Protect customers/users,
From what?
- Help protect DKIM domains as a standard consistent protocol.
I'm sorry, I don't understand this either.
In short, address the global spam problem.
Does expiration contribute for this purpose?
From a verifier standpoint, it is looking to be told what is bad mail. It
wants every piece of information the domain can expose to communicate levels
of control.
From a signer standpoint, If the domain is saying the expiration is one
such control to invalidate a signed transaction, then it is not up to the
verifier to decide if its useful idea or not. The verifier will not know
the "true intent" of the domain's control here. Why should the verifier not
honor it?
I'd be happy with this logic if you could give me a single legitimate
purpose for this. Thus far I haven't heard any.
This is also addresses your previous question regard the application usages
and there they serve any useful purpose. That all depends on your role.
I apologize if this short answer doesn't fully describe my overall opinion,
but I will say that DKIM is short on controls or fail detection ideas in
DKIM.
What is unique about Expiration is that it is probably the only clear item
in the DKIM protocol that helps with failure detection:
expiration ----> clear definition for invalid,
no verification required.
But what does this mean? If I am an administrator how would I use this
to provide either myself or the recipient with some value? What does it
mean for a signature to have expired in this context? Does it mean that
the message is less trustworthy than it was prior to expiration? Please
show me a real use case.
Thanks,
Eliot
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html