On Fri, Dec 12, 2014 at 11:12:56AM -0500, Paul Wouters wrote: > On Thu, 11 Dec 2014, Nico Williams wrote: > >Yes: use MSA/MTA as the keyserver, both for lookup and registration. > > Why add another service, another dependancy and another choke point and > another trans protocol for auditing that the world sees the same view?
Well, it's another service on a protocol that already exists, that the MUA must speak, and has similar functionality (VRFY) anyways. > That can all be done with DNS. If done *only* with DNS then we get into the canonicalization/zone walking (spam) trap and we then have to do something that sucks. > Adding another service just adds more problems. So does not adding it. It's a case of pick your poison. I can't say I like one poison better than the other yet... BTW, for the DNS-only scheme, there's no need for local-part canon when verifying sender certs: because hopefully! the sender's MUA will use a canonical sender local-part. As for looking up a recipient's encryption cert... well, if the MUA gets the wrong recipient local-part form as a result of applying an incorrect canonicalization, then it could get the wrong recipient -- a relatively minor problem, but one worth noting. The SMIMEA I-D does need to describe the motions that the MUA goes through to do the two different tasks: verifying sender signature certs, and finding recipient encryption certs. Nico -- _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
