ietf-mailsig
[Top] [All Lists]

RE: DKIM - DNS RR

2005-07-19 14:28:54

True, but HTTP wasn't used with DK and so there's no 
worldwide deployed 
infrastructure based on HTTP which we can take advantage of 
in this context. 

This is not quite true.

There is in fact a deployed base of XKMS/1.1.

There is also a deployed base of HTTP servers. These do not provide the
right semantics though. I cannot infer anything about your authority to
send email from example.com from your ability to publish information
from an HTTP server at example.com.

I wouldn't want to see a second _mandated_ mechanism 
required in the DKIM core spec.

I don't think that a second mandated mechanism is necessary.

However all it would take to enable the use of xkms is to specify the q
parameter. XKMS is a fully specified, standard protocol that already
defines how to discover services via DNS SRV records. 

All it would take to add an XKMS support option is to specify that
q=xkms means that the key may be retrieved via xkms LOCATE and to state
what the discovery parameters are.

As a practical matter anyone who wants to implement client side support
for DKIM should really, really think hard about supporting XKMS since it
provides a simple and effective work-around the problem of DNS service
that does not penetrate to the internals of the organization.

If the client has the ability to resolve DKIM keys using the XKMS
VALIDATE mechanism the problem of DNS RRs that do not penetrate to the
internal network is eliminated, the organization that deploys the
clients just makes sure that they can reach the local XKMS service. This
also provides a realistic deployment mechanism for DNSSEC. If the DNSSEC
protocol changes (watch them) the client can still take advantage of the
DNSSEC enhancements, all you need to do is update the XKMS server.

Well, not making it easy isn't the same as precluding it :)   
The only 
negative text I see is this:

"Currently the only valid value is "dns""

I suggest that we state

        q=dns   Means that the key is stored in a DNS TXT record
        q=dnsrr Means that the key is stored in a DNS DKK record
      q=xkms    Means that the key may be retrieved by means of XKMS
Locate

These can then be mixed according to the current parameters:

        q=dns,dnsrr,xkms



<Prev in Thread] Current Thread [Next in Thread>
  • RE: DKIM - DNS RR, Hallam-Baker, Phillip <=