ned(_dot_)freed(_at_)mrochek(_dot_)com wrote:
the nature of the 'assurances' being offered are intentionally minimal. the
purpose of the finer-grained keys has more to do with management than it does
with making strong assurances about the purported author.
I'm OK with it as long as it's clear this is only done for the purposes of
getting finer-grained keys and we're not shifting away from transit validation.
Getting a finer-grained key does not change the semantics of the
signature. It still represents an authorization from the owner of the
domain to use some address. It does not mean you are the person/entity
named.
OTOH, could DNS scaling issues possibly be lurking nearby? (I don't mean this
to be a rhetorical question - I'm not a DNS guru so I really don't know the
answer.)
I'd also like to have some more expert review of the DNS issues.
Finer-grained keys will hurt some because they will be larger in number,
less likely to be already cached, and have a shorter TTL because timely
revocation is more important. But I expect that many domains will not
use user-granularity keys, many will have only a few user-granularity
keys, and only a few domains will have keys primarily at the user level,
and this will help a lot.
-Jim