Stephen Farrell wrote:
I don't see DNS as a "third party" in the same sense as a CA for
certs. Yes, DNS has to work, but it isn't a third party (unless you
want to count the root servers, I suppose). By this logic, we should
also include the multiple third parties that run the routers and all
the rest of the infrastructure.
In my little PKI-riddled mind, the DNS is a TTP since it supplies the
public keys and if/when DNSSEC were used, it starts to look quite like
a PKI. The routers etc. won't ever really be supplying signed key
records. But if no-one else thinks the same, leaving as-is if of course
right.
I think Eric captures the exact nature of the confusion. On purely technical
level, Stephen is right, but on the 'want-to-be-understood' level,
mentioning
a ttp is good way to get un-understood in a big hurry. And even then people
try to shoe horn "certificates" into our certificateless design and proceed
misunderstanding based on that false premise.
If I go to a conference or IETF, then I generally use its smtp server.
If someone was used to mail from me being signed by tcd.ie and suddenly
see mail from me signed by ietf66.org they might react badly. I don't
want that to happen. (I know that the IETF meeting server doesn't sign
now, but I guess it may in future.)
So, my point was that I didn't see an example/use-case that mapped to
the one above.
Sure there is: the first obvious is that you can vpn into you home as
many of us do already and have your home mta's do the signing. However,
the "DKIM" answer is to delegate a key/selector to
stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie
(probably with g=stephen.farrell; ) and allow your own selector do the job.
I've been wanting for quite some time to hack up a thunderbird plugin that
can do exactly this.
#6 3.6.1 "k=" says that the public key is in the "p=" value, but its
actually the modulus.
I guess I'm confused. If this isn't the public key, what is?
Me being pedantic again I guess. The public key is the modulus and
the public exponent (in our case hardcoded to be 65537).
Wouldn't it actually be better to just say that it's the PEM formated
public key with reference and not give an explanation at all? For a
developer, what I'm looking for is a routine which reads it, and
looking for PEM_xxx is a lot easier than looking for "b64 modulus
with hardcoded public exponent of 65537".
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html