Jon Callas wrote:
[... about DKIM ...] The signature travels with the message and the signing key is in the network. As long as you have both, you can verify the signatures.
"the signing key is in the network" --> Indeed. The public signature key is stored in the DNS.
DKIM might be the first widely deployed application to use the DNS as the preferred means of distributing public keys.
*Authenticated* public key distribution would need an upgrade of the DNS with DNSSEC deployment.
Perhaps it is time for discussion groups like this one to take a look at DNSSEC (RFC4033 / RFC4034 / RFC4035) and review its security principles, trust model, deployment challenges, HMI (Human Machine Interaction) aspects, etc.
Look at http://www.circleid.com/posts/dnssec_deployment_and_dns_security_extensions/ or query your favorite web search engine with "DNSSEC".
Good reading. -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1 Tel.: (514)385-5691 Fax: (514)385-5900 web site: http://www.connotech.com e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
