On 05/22/2011 08:02 AM, Dave CROCKER wrote:
3. As noted, certification was explicitly de-coupled from DKIM. I'll claim
that
it really is a separate, value-added service and any support of it should be
through a separate, value-added mechanism. My own preference would be for
using
a special header-field that contains the cert, with the specification of using
such certs as saying that they are enabled when included in the set of h=
covered header fields.
Well, x.509 style certification certainly was. But using DNS is a
form of certification which is arguably not much worse than going
to godaddy and proving that you can receive email from the domain
or whatever weak tests they use to establish that you have control
of the domain. The weak part of DKIM/DNS chain isn't the certification
part (if you believe that godaddy et al aren't problematic), it's the
lack of data integrity in the transport of the dkim rr. Which can
be solved with DNSSEC.
Given how problematic x509 has been for people to get their heads
around, I think that DKIM has done a service in providing an
alternative mechanism/trust root for establishing identity
that is workable and especially with its solution to the revocation
problem.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html