Thanks for confirming what I was thinking. This is good example where a root of trust is not required.
Cheers Dave I -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alin Nastac Sent: Wednesday, December 05, 2007 10:57 AM To: dkim-milter general discussion Subject: Re: [dkim-milter-discuss] DKIM key generation Dave Isaacs wrote: > I was wondering if there is an accepted practice for generating DKIM > keys. > > Using openssl to generate DKIM keys is simple and effective, but is > there any value in going a step further and obtaining keys from a > certified CA? I don't see any added value in doing so (as much as I'd > like to say otherwise), since DKIM doesn't require any root of trust. > > Does anybody else have any opinions? > > You can buy your keys if you really want, but there is absolutely no advantage in having your keys signed by a certified CA. See chapter 3.6 from RFC 4871: Signature applications require some level of assurance that the verification public key is associated with the claimed signer. Many applications achieve this by using public key certificates issued by a trusted third party. However, DKIM can achieve a sufficient level of security, with significantly enhanced scalability, by simply having the verifier query the purported signer's DNS entry (or some security-equivalent) in order to retrieve the public key. ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
