ietf-mailsig
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: QUERY: Key Server Choices

2005-08-03 18:01:55
from [Hallam-Baker, Phillip] [Permanent Link] 



[mailto:owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Tony 
Finch



I expect that there will be special DKIM-keyserver-specific 
DNS servers which will automate the management job, so the 
only configuration at the ISP would be an NS record to 
delegate the _domainkey sub-zone parallel to the domain's MX 
record, and this is a one-off admin job.


I agree that this is the case and anyone who wants to deploy a new key
resolution mechanism is likely to have to publish the key info through
both mechanisms in order to support DKIM verification within the SMTP
delivery chain.

The issues that I see motivating an interest in other key management
mechanisms are:

  * Providing archival signature verification
  * Supporting long keys
  * Support for end user keying
  * Regulatory compliance

The DNS mechanism is sufficient to meet the DKIM charter goals. However
there are signature applications that are not supported by these goals.

As a practical matter borne of 15 years of the SMIME vs PGP war I do not
want to have to end up with a new crypto standard war when it can easily
be avoided. There are significant established constituencies that have
as their primary objective deployment of certain PKI infrastructure. I
would much rather work to create a win-win situation here than spend
time answering 58 point lists of last call objections to the protocol
point by point. And yes I have been there and done that... And the same
individual is undoubtedly going to raise similar objections to DKIM.


Rather than get into an extended argument with the advocates of the
cryptographic perfectionism approach I would much rather be able to say
that we understand how the protocol can interface to existing PKI
infrastructure to meet those goals.

In particular the US federal government has spent a decade and a huge
amount of money deploying the Federal Bridge CA. An infrastructure has
been established and now they face many of the same problems with
respect to deployment of email security that DKIM faces.

I would rather be in a position to be invited to attend a meeting of the
TWG to explain how DKIM can help turn the FPKI into a valuable and
productive asset than having to tell them that DKIM is essentially
starting the whole PKI design process from scratch.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Version identifier, Hallam-Baker, Phillip
Next by Date:  Re: Version identifier, Ned Freed
Previous by Thread:  Re: QUERY: Key Server Choices, Tony Finch
Next by Thread:  replay attacks, was Re: revised Proposed Charter, Tony Finch
Indexes:  [Date] [Thread] [Top] [All Lists]