At 10:10 AM -0800 2/26/07, Dave Crocker wrote:
Paul Hoffman wrote:
At 8:48 AM -0800 2/26/07, Dave Crocker wrote:
The proposed mechanism incurs an additional lookup for every signed message.
You keep saying this without justifying it. Others have shown it to
be wrong. Please stop repeating it or support your statement.
Actually, they haven't.
Well, at least I have. If a recipient gets a message with a valid
signature, they never need to look up an SSP record. That refutes
your statement pretty fully, doesn't it?
2. Unless I'm missing something pretty basic, the duration of a
transition is the time between the last message is signed with an
algorithm and the signer deletes the key record. For DKIM
intended use, I believe this duration will be in the range of 3-10
days. If I'm wrong, it would help for someone to explain how.
Simple: we allow signers to sign with multiple algorithms.
Therefore the transition can last as long as the signer wants. It
is possible that this might be many years.
Were DKIM intended to have signatures that lasted years, that might
make sense. Since it isn't, I am pretty sure it doesn't.
And you would be wrong. If I am signing a message with both A and B,
it doesn't matter how long the key for each signature lasts; the
transition lasts for as long as I am using both algorithms. This is
no different than any other security protocol.
--Paul Hoffman, Director
--Domain Assurance Council
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html