Re: DKIM - DNS RR



On Mon, 18 Jul 2005, Arvel Hathcock wrote:

Also note that rationale for "verifiers and signers MUST support dns" isunclear to me. Either you want new algorithms supported or you do not butspecifying that they "MUST" support dns means that you can not haveanything other then "q=dns,new
querytype" where as I think  you want to allow just "q=newquerytype"
DNS was selected because (a) we have to specify some method (b) there isprecident for it in this context with SPF, DK, IIM, etc (c) it's alreadybeing used in the real world for SPF and DK widely (d) doesn't require therolling out of some new software package. It doesn't seem logical to specifyno mandatory mechanism. That being the case, and absent any other viablealternatives, q=dns wins the job.


All of the above applies to HTTP as well and its use for public key
retrieval is well documented and has many more years of experience

(i.e. PGP) then with dns and with PGP keyservers there is obviouslypackage available if you're worried about that.


As I pointed out before, DNS is particularly good for retrieval small

fixed size data associated with given host or domain. Its use for publickey data (especially one in text format with non-fixed record size) isquestionable to say it lightly. On the other hand dns seems a lot bettersuited for fixed size fingerprint object data.


I believe that at least two types of signature verification methods
should be available and dns should be one of them but should not be
the only one.

No, new mechanisms MUST NOT require revisison of spec
Right, and I think we've achieved that with the existing language (if I'mwrong please tell me).

The way I read the draft, it does not make it easy to introduce newmethods and Jim said as much too.


What also worries me is that there seems to be taken an approach that any
methods must be such that public key is retrieved from somewhere. I do not
believe that there has been an agreement on this issue as part of MASS
list discussions or that technical arguments say that this is better then

verifying public key included in the message. If anything it seems insome cases one is better while in others the other and this means both

options should be on the table.

--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net

<Prev in Thread]	Current Thread	[Next in Thread>
Re: DKIM - Header Fields, (continued) Re: DKIM - Header Fields, Arvel Hathcock Re: DKIM - Header Fields, Hector Santos Re: DKIM - Header Fields, Arvel Hathcock Re: DKIM - Header Fields, Arvel Hathcock Re: DKIM - Header Fields, Earl Hood Re: DKIM - Header Fields, william(at)elan.net Re: DKIM - Header Fields, Hector Santos Re: DKIM - Header Fields, Earl Hood Re: DKIM - DNS RR, william(at)elan.net Re: DKIM - DNS RR, Arvel Hathcock Re: DKIM - DNS RR, william(at)elan.net <= Re: DKIM - DNS RR, Arvel Hathcock Re: DKIM - DNS RR, william(at)elan.net Re: DKIM - Other Inconsistancies, william(at)elan.net Re: DKIM, Dave Crocker RE: DKIM, Hallam-Baker, Phillip RE: DKIM, william(at)elan.net

Previous by Date:	Re: DKIM - Header Fields, Ned Freed
Next by Date:	Re: Goldilocks Canonicalization, Douglas Otis
Previous by Thread:	Re: DKIM - DNS RR, Arvel Hathcock
Next by Thread:	Re: DKIM - DNS RR, Arvel Hathcock
Indexes:	[Date] [Thread] [Top] [All Lists]