On August 11, 2005 at 12:57, SM wrote:
I'm not sure why Phillip thinks DKIM requires a full-on PKI. Isn't
publishing and removing short-lived keys in the DNS sufficient? Key
removal provides a simple repudiation mechanism, if the TTLs are suitably
short.
Key removal may also affect valid mail that has been sent during that
time. Key removal may not be an adequate repudiation mechanism,
especially for large domains. If the TTL is too short, we lose the
benefits of DNS caching.
Are we refering to key revocation or repudiation here? There is a
definite relationship between the two, but removal of keys in DNS (or
better, an explicitly revocation marker is provided), just denotes
a key has been revoked. Repudiation will depend on the message(s)
themselves and who wants to repudiate a specific message (or messages).
If I am not mistaken, only people can repudiate. Repudiation is a
human (and possibly a legal) process, and appears to be outside of
the scope of DKIM.
Or am I mistaken in my understanding?
--ewh