On 05/22/2011 10:27 AM, John R. Levine wrote:
It occurs to me that since mail certification is likely to make assertions
about behavior as well as identity, the SSL model in which certs last for
a year won't work, since behavior can change rapidly. Either the
certifier has to issue a stream of short-term certs to everyone it
certifies, or the verifiers have to check CRLs, which is tedious. By the
time you do all that, a DNS check, even one with DNSSEC, looks pretty
attractive.
But this is exactly what DKIM is. You prove yourself fsvo "prove"
to the registrar who "certifies" you by virtue of placing your NS
records in the root servers instead of issuing a cert. Nothing
different in *essence* to x.509 certs. The "advantage" that
x.509-style certs have is that you can verify them offline. Except
when you factor in CRL's which in any reasonable scheme you
must do. So yes, DKIM saves quite a bit of overhead by not
caring about the problematic offline verification problem.
There's really not a need of yet another certifier that I can see:
if your DNS is compromised, you have far, far larger problems than
DKIM.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html