-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Jun 1, 2009, at 8:33 AM, Siegel, Ellen wrote:
DKIM-Signature Header tags
x: Signature expiration
Expiration is a fairly common feature in signing specifications. But
DK and DKIM are different in that the public key is not
distributed to
others, it's always under the control of the signer. Does this add
anything that removing the DNS TXT record doesn't do? Is it used? Is
it necessary?
Unless there are implementations out there that cache the public key
for extended periods of time, I don't see any benefit of the
signature expiration tag that's not available by removing the DNS
txt record.
And if it's absolutely necessary to distinguish between the case of
"there never was a record" and "this key has been expired/revoked",
it seems like keeping the txt record and removing the key would
cover the latter... although I'm not sure there's really a reason to
make the distinction.
I agree with Ellen that there' hardly any use for signature expiration
that can't be solved by yanking the key from the DNS.
DKIM is a short-term protocol. The signature on a message is supposed
to protect it while it is in transit. The longer a message sits in a
mailbox, the less value the DKIM signature has. Expiring the
signatures has little value.
On the other hand -- it's already in there. The arguments we're making
now are all good arguments for never having x=, and less good for
taking it out. Despite it being an idea of limited use, someone might
be using it, and someone might think of a good reason to have it in a
few years. Murphy's law being what it is, someone will find a really
good use for it if and only if we remove it.
My suggestion is to ask some implementers. If they think it made
implementing DKIM hard, or they see value to removing it, then do so.
If they are lukewarm or supportive, keep it in.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.6.3
Charset: US-ASCII
wj8DBQFKJF3YsTedWZOD3gYRApqmAJ9xLY+RH97bDS56IY5RBJ+ocNoihQCfaBBB
EbBiqKG2anEQKBxdVYDcG+w=
=1LWk
-----END PGP SIGNATURE-----
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html