ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Attempted text for x=

2006-04-19 23:11:11
from [Hector Santos] [Permanent Link] 

----- Original Message -----
From: "Stephen Farrell" <stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie>


       Verifiers SHOULD support checking of x= values.


I think this must be a MUST.


REQUIRING that the verifer honour the sender's wishes is
tricky in general and a MUST there is getting close to that,
as you say.


Agreed.

If we change it to relaxed wording like so:

    Verifiers MAY support checking of x= values. If verifiers
    supports checking the  expiration x= tag, they SHOULD
    honor the signature expiration.

Then basically, this effectively defines for implementations, the x= tag is
worthless and that if the domains wants to truly expire a signature they
need to either:

     a) revoke the public key by setting p=data to empty, or
     b) purge the publc key DNS record from DNS.

In this case, x=tag becomes an *optional* optimization or non-DNS based fast
rejection feature or concept.

The wording might be:

    DKIM offers an key expiration optimization option using an x=expiration
date
    tag in DKIM signatures.  Verifiers MAY use this tag to accelerate the
    classification of a signature to an invalid state.  Signers MAY set this
    x= value, however, signers MUST be aware that verifiers may not support
this
    option and the only effective way to expire a signature or revoke a
public
    key is to clear the public key or remove the selector DNS record.

That is all that basically needs to be said from my point of view as an
implementator.

Signers now will basically view x as the day the key data is cleared or the
DNS record is removed,  and decide for themselves if they want to assist the
verifier world with the x=tag optimizer.

Lets keep in mind, tag or not tag, you still have step 2 in section 6.2 and
the 451 recommendation is not something verifiers will just willing honor
across the board. That is definitely a candidate for local policy setting to
551.  In short, the coding for the verifier might be:

     NXDOMAIN, no tag, not expired  ---> 451
     NXDOMAIN, signature expired    ---> 551


--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com





_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Attempted text for x=, Hector Santos
Next by Date:  RE: [ietf-dkim] Attempted text for x=, Bill.Oxley
Previous by Thread:  Re: [ietf-dkim] Attempted text for x=, Stephen Farrell
Next by Thread:  Re: [ietf-dkim] Attempted text for x=, Paul Hoffman
Indexes:  [Date] [Thread] [Top] [All Lists]