On July 14, 2005 at 23:29, domainkeys-feedbackbase02(_at_)yahoo(_dot_)com wrote:
Hmm. I'll have to swing back on the draft, but at one stage the plan was
to use the DK revocation method of continuing to advertise the Key RR with
an empty public key value.
The DKIM draft does specify that an empty p= tag indicates revocation,
I overlooked it.
Would that satisfy your concerns regarding explicit revocation?
Almost. Something besides an empty public value would be better.
Something that explicitly denotes revocation to disambiguate between
revocation and erroneous configuration.
Either a different tag, like r=, that replaces p= when a key
is revoked, or an alternate p= value that indicates revocation.
The date/time of revocation along with a potential reason indicator
would be informative.
BTW, I see nothing that indicates key expiration. Is there an
assumption that senders will modify (or remove) the RR when a key
expires? Key expiration is mentioned in the draft, but nothing
is provided to tell verifiers what the expiration date is.
--ewh
P.S. The spec should state that the value of the p= tag is the
base64 encoded DER encoded public key in SubjectPublicKeyInfo format.
Now, if you decide not to SubjectPublicKeyInfo format, you should
explicitly state what format is used.