There is a certain level of functionality you can get by repurposing DNS. If
you want to go beyond that level you really need to start looking at a
separate key management scheme that is designed for the purpose.
The obvious candidate is XKMS which is compact, lightweight and provides
both the necessary retrieval and registation functionality.
You can't do per-user keying in the philosphy of DK without providing a
complete end user experience.
I know that folk keep muttering the perfect is the enemy of the good, but
the incomplete is the enemy of the user. I am not talking about
crypto-perfectionism here. I am talking about a complete end user
experience.
-----Original Message-----
From: owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Tony
Finch
Sent: Wednesday, January 12, 2005 8:53 AM
To: Sam Hartman
Cc: ietf-mailsig(_at_)imc(_dot_)org
Subject: Re: Good as the enemy of OK
On Wed, 12 Jan 2005, Sam Hartman wrote:
I do note that you're actually somewhat vulnerable to this
replay even
with signed bodies. I go get a free email account from an email
provider with a reasonably good reputation. I send email
containing
the spam body I want to some recipient I control that will
look good
in to: headers. Now that I've got this signature, I can replay the
message at any envelope recipient I want.
This puts the free email provider in the position of
needing to revoke
the key I'm using, but they cannot do that until the other
mail signed
with that key has had a chance to flow through the system.
If you implement per-user keys, then revocation of an account
can imply revocation of the key without affecting any
innocent bystanders. However there are efficiency
considerations for recipients (how many keys are they
expected to cache, and for how long) and for senders
(per-user keys with low TTLs make joe jobs have a worse effect).
Tony.
--
f.a.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
EAST NORTHERN SECTION: IN SOUTH, WEST OR NORTHWEST 7 TO
SEVERE GALE 9, OCCASIONALLY STORM 10 OR VIOLENT STORM 11 IN
EAST AT FIRST, DECREASING 5 OR 6, BACKING SOUTH 7 IN WEST
LATER. SHOWERS, CLEARING LATER. MODERATE OR GOOD OCCASIONALLY
POOR AT FIRST.