ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] New Issue: note on figure in overview draft

2008-03-23 15:31:48

On Mar 23, 2008, at 2:34 PM, Dave Crocker wrote:

Double mumble.

Jim,

Per the response to Levine's concern, I'd rather simply have text  
that dodges the question of multiple signatures, here.  Multiple  
sigs are fine, but the figure is trying to look at a more contained  
topic.  I believe that having the figure explicitly show multiple  
sigs will, for example, require showing multiple private/public key  
pairs, and probably some sort of iterative behavior to cycle through  
each key.  Since this is an architectural diagram, rather than a  
functional flow chart, I don't think the complexity of iteration is  
needed.

Can you live with that?

Signature validation will incur additional processing and must also  
deal with multiple signatures per message as this is afforded by  
DKIM.  With actions flowing from "Verify Signatures" step in the  
diagram, this appears to be based upon an assumption all signatures  
within a message are to be validated.  Domain/address assessments  
ahead of signature validations may be needed to defend limited  
resources.   Unfortunately it appears there is no consideration as to  
where such strategy might be employed in defending the receiver's  
validation resources.  It is possible a practical solution would be to  
only check signatures of white-listed domains.  Where would this fit  
within the diagram?  It seems defensive methods for DKIM validation  
processing are not congruent with the described workflow in the  
diagram.  Is it really necessary to assume that all messages will have  
all their signatures validated?

-Doug

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html