On Thu, 2005-07-28 at 01:28 -0700, william(at)elan.net wrote:
On Wed, 27 Jul 2005, Jim Fenton wrote:
It seems like the difference isn't orders of magnitude.
Difference in what?
Difference in the size of the response. It's not like we're making a
factor-of-10 difference in the amount of data returned from a typical
query.
What did you compare? If its comparison of DKS public key vs fingerprint
in DNS, that is factor of 5 difference there for 1024bit keys and factor
of 10 for 2048bit keys.
Previously on this list, I expressed concern about the 'g=' option
within the key. The explanation was 'g=' is needed to constrain the
local-part of mailbox addresses used by third-parties. I thought this
feature invites the distribution of keys to individuals within domains
across perhaps millions of users. This then enables all sorts of user
specific applications well beyond DKIM. These other applications can
now also be listed within the key as well!
This multiplication factor with respect to the magnitude of increased
use of DNS should not include just the added size of the RR, but also
the increased number of such records. Instead of being proportional to
servers, which is normally the case, this record would be proportional
to number of users. With DKIM signatures now independent of the
From/Sender headers, there are also suggestions made to constrain third-
party signing with a permission list of domains published in yet another
TXT policy record. Would there a desire to also constrain the local-
part here as well? If not, why not?
This absorbent use of DNS seems abusive. To provide rapid responses,
DNS is typically retained in random access memory to avoid incurring the
rotational latency of disk storage. While the size of memory has grown,
so have the number of active systems in rough proportion. At the time I
raised concern about the 'g=' option, I suggested this issue should be
reviewed.
I still think DKIM should be limited to authenticating _just_ domains.
Remove the 'g=' option. DKIM should not identify the author of the
message, but rather the _domain_ accountable for enforcing email policy.
Mobile users or third-parties should be given keys within sub-domains
that permit the signing of their "From" mailbox _domain_. Perhaps there
could be a flag that indicates the only local-part permitted for such
distributed keys is 'postmaster', where the key must be used to sign
other addresses. With DKIM as currently devised, there needs to be
provisions made to signal this type of use anyway. I know this is not
ideal, but this reduces the proliferation of public keys within DNS.
To be safe, ensure the use of DKIM public keys remains proportional to
the number of servers. This should be done by design.
-Doug