-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Rolf E.
Sonneveld
Sent: Thursday, May 19, 2011 2:33 PM
To: IETF DKIM WG
Subject: [ietf-dkim] Certifying the DKIM public key?
Hi, all,
recently someone asked me whether it would have any added value if the
DKIM public key, which is stored in DNS, would be 'certified' in some
(yet to be determined) way by a 3rd party like VeriSign, Thawte etc.? My
first reaction was, that it made no sense, but I'm no longer sure
whether that's the only possible answer. For example: does it have an
added value if a VeriSign Trust Seal certificate would be used for the
DKIM public key?
Maybe I should send this question to the domainrep list, as 'certifying'
a DKIM public key may have more to do with domain reputation and
accreditation then with DKIM itself.
Anyway, any thoughts on this topic appreciated.
The use of plain RSA keys without requiring a third-party certification was a
specific design criterion for DKIM. You could change to using some kind of
certificate that is signed by someone else, but you'd need a new key type and
corresponding signing algorithm(s) that evaluate the more complex keys and then
tie them to whatever your trusted certifiers list is, and would probably pretty
much mandate TCP for DNS.
It seems to me this is a bullseye for what VBR is capable of providing.
This is also probably in-scope for "domainrep", I think, but not so much for
this WG. A follow-on DKIMbis WG or individual efforts could add this
capability by registering extensions, although you need to accept that the
roll-out for that approach once published will be pretty long.
That said, I'd be game to try. :-)
-MSK
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html