Hi Paul, On 19 Apr 2016, at 21:05, Paul Wouters <[email protected]> wrote:
>> 5.1. Obtaining an OpenPGP key for a specific email address >> >> If no OpenPGP public keys are known for an email address, an >> OPENPGPKEY DNS lookup MAY be performed to seek the OpenPGP public key >> that corresponds to that email address. This public key can then be >> used to verify a received signed message or can be used to send out >> an encrypted email message. An application whose attempt fails to >> retrieve a DNSSEC verified OPENPGPKEY RR from the DNS should remember >> that failure for some time to avoid sending out a DNS request for >> each email message the application is sending out; such DNS requests >> constitute a privacy leak >> >> Should the document give a specific recommendation about "remember for >> some time"? Is it tied to TTL for the corresponding RR? >> If you can provide some additional text explaining what is reasonable (or >> not) here, that would improve the specification. > > I do not think the TTL should be used here for key management. The TTL > relates to the DNS transport and caching only. That is fine, but you don't say that one way or another. My concern is that the document doesn't provide any specific details here on what is reasonable and what is not. Even putting a specific number here (if you think you can) would be better, IMHO. Best Regards, Alexey _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
