Eric Allman wrote:
(And yes, I realize that the "skew" argument violates the principal that
the sources should all be equivalent, but pragmatically it's not likely
that the signer is going to implement a transaction-based store across
multiple different technologies. And besides, there's skew in DNS, so
we can't escape it.)
There are more issues than just skew. With xkms for example there
are some cases where it would be valid for a responder to return
a public key, even though that same key's certificate MUST be
considered invalid in X.509 terms. For example, if an intermediate
CA cert is revoked so that no path can be constructed, then a
conformant X.509 based source will not return the public key, whereas
an xkms source (or DNS source) can still allow the signature to be
accepted. While these are arguably corner cases, there are a lot
of them so assuming all sources always give the same answer may be
a bit optimistic.
Saying something along the lines that sources should almost always
be equivalent would however be safe enough I'd imagine, though one
could also argue that this is yet another BCP issue.
Stephen.
PS: For those interested in a bunch of similar possibilities:
http://down.dsg.cs.tcd.ie/misc/FarrellKahan-Final-cms.pdf
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html