It seems entirely reasonable to me that an email product that is
advertised as DKIM compliant MUST support the dns retrieval
mechanism.
Agreed.
That does not suggest to me that an individual signature cannot
be DKIM compliant unless the key can be retrieved using the dns
mechanism. It is like saying that everyone MUST support RSA
signatures, you can still extend to new signature mechanisms
but you cannot depend on interoperability.
Humm... very interesting.
I think that it is likely that there will be some significant issues
supporting end user keying via the DNS, not least the fact that
some form of key provisioning protocol will be required.
he he... that is an understandment to be sure!
I think that the way per-user keying is likely to be
introduced is as a supplement to domain keying and
that this will strongly encourage the use of different
key retrieval mechanisms.
Yes, such as HTTP :)
I very strongly suggest that people do not redo the work
already done in the W3C XKMS group or PKIX. We already
have some very good private key management protocols
that have been exhaustively managed.
I need to find time to look into it and see how complex it would be to
implement.
--
Arvel Hathcock
CEO, Alt-N Technologies, Ltd.
Helping the World Communicate!
http://www.altn.com