ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] RFC4871bis - whether to drop -- x: Signature expiration

2009-06-01 19:04:45
from [Jon Callas] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Jun 1, 2009, at 8:33 AM, Siegel, Ellen wrote:





  DKIM-Signature Header tags

    x: Signature expiration

Expiration is a fairly common feature in signing specifications. But
DK and DKIM are different in that the public key is not  
distributed to
others, it's always under the control of the signer. Does this add
anything that removing the DNS TXT record doesn't do? Is it used? Is
it necessary?




Unless there are implementations out there that cache the public key  
for extended periods of time, I don't see any benefit of the  
signature expiration tag that's not available by removing the DNS  
txt record.

And if it's absolutely necessary to distinguish between the case of  
"there never was a record" and "this key has been expired/revoked",  
it seems like keeping the txt record and removing the key would  
cover the latter... although I'm not sure there's really a reason to  
make the distinction.


I agree with Ellen that there' hardly any use for signature expiration  
that can't be solved by yanking the key from the DNS.

DKIM is a short-term protocol. The signature on a message is supposed  
to protect it while it is in transit. The longer a message sits in a  
mailbox, the less value the DKIM signature has. Expiring the  
signatures has little value.

On the other hand -- it's already in there. The arguments we're making  
now are all good arguments for never having x=, and less good for  
taking it out. Despite it being an idea of limited use, someone might  
be using it, and someone might think of a good reason to have it in a  
few years. Murphy's law being what it is, someone will find a really  
good use for it if and only if we remove it.

My suggestion is to ask some implementers. If they think it made  
implementing DKIM hard, or they see value to removing it, then do so.  
If they are lukewarm or supportive, keep it in.

        Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.6.3
Charset: US-ASCII

wj8DBQFKJF3YsTedWZOD3gYRApqmAJ9xLY+RH97bDS56IY5RBJ+ocNoihQCfaBBB
EbBiqKG2anEQKBxdVYDcG+w=
=1LWk
-----END PGP SIGNATURE-----
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] RFC4871bis - whether to drop -- SHA1 support, Jon Callas
Next by Date:  Re: [ietf-dkim] RFC4871bis - whether to drop -- SHA1 support, Suresh Ramasubramanian
Previous by Thread:  Re: [ietf-dkim] RFC4871bis - whether to drop -- x: Signature expiration, Siegel, Ellen
Next by Thread:  Re: [ietf-dkim] RFC4871bis - whether to drop -- x: Signature expiration, John Levine
Indexes:  [Date] [Thread] [Top] [All Lists]