Jon Callas wrote:

[... about DKIM ...] The signature travels with the message and the signing key is in the network. As long as you have both, you can verify the signatures.

"the signing key is in the network" --> Indeed. The public signature key is stored in the DNS.

DKIM might be the first widely deployed application to use the DNS as the preferred means of distributing public keys.

*Authenticated* public key distribution would need an upgrade of the DNS with DNSSEC deployment.

Perhaps it is time for discussion groups like this one to take a look at DNSSEC (RFC4033 / RFC4034 / RFC4035) and review its security principles, trust model, deployment challenges, HMI (Human Machine Interaction) aspects, etc.

Look at or query your favorite web search engine with "DNSSEC".

Good reading.


- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site:

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to