On Thu, 13 Jan 2011 17:00:03 -0000, Steve Atkins
<steve(_at_)wordtothewise(_dot_)com>
wrote:
But if other ways of getting the public key are more suitable, what's
left? The only thing DKIM does is allow a domain to assert responsibility
for a message in a relatively cheap (if unreliable) way.
That is most certainly NOT the only thing DKIM does, nor even the most
important.
What it does is to provide a mechanism for parceling up any document in
headers+body format in a manner that changes to the document en route (or
changes to the parts of the document that the originator particularly
wanted to protect) can be detected cheaply, and even reliably if the key
management is adequate. And it provides a syntax and semantics for a
Signature header, with an extensible format based on tags, to do all that.
If you take away the fundamental "You use this selector and this d=
value in order to find the public key" then you're not left with much
other than
a quick-and-dirty canonicalization method that's tuned to the ways
messages
get corrupted in email transit.
There are several canonicalizations of varying quick-and-dirty degrees,
plus provision for plugging in new ones.
The "d=" tag asserts that the signature was on behalf of a domain, and
provides a mechanism to retrieve the public key (but not reliably, as you
say, since the DNS record might not exist for ever).
But some other tag could easily be invented to assert that the signature
was on behalf of some other kind of entity, and that the key would be
available via some other mechanism (as defined for that tag). No rocket
science there.
So DOSETA should provide for multiple plug-in key storage mechanisms in
just the same was as it provides for multiple plug-in canonicalizations.
By all means include the current DNS method as plug-in-key-management
#1.
What would be a good use case for DKIM-without-DNS?
Nobody is suggesting DKIM-without-DNS. The DKIM RFC would state that the
allowed set of tags would be such and such (either as defined in DOSETA,
or some additional ones defined for use in DKIM only). Use of "d=" as
currently defined would, of course, be mandatory in DKIM. What tags the
FOOBAR protocol allows would be defined in the FOOBAR standard.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html