-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <[email protected]>, Taavi Eomäe <[email protected]> writes
>Are you against DNS (and by extension its security mechanisms) being >used for DKIM in general? And not that you would find it valuable to >know if the public keys were fetched in a way that their >authenticity/integrity is known? Hard to give a clear yes or no to the second question because of the negative... I can't see any value in knowing how the signer of a message obtained a key ... on my system it fetches the private key from a file and never uses the public key at all -- so DNSSEC is not at all relevant at that end of the connection. Most "knowing what happened next" issues are in the realm of DMARC which is another WG and another charter. If you mean that "bounce messages" (DSNs) -- that we envisage souping up for DKIM2 -- should provide as much detail as possible as to the reasons that they are rejecting a mail as incorrectly signed, then I would agree about that. Whether we need to say something explicit in the charter about the verbosity of bounces is somewhat debatable. Wording to say that attention will be paid to allowing senders to debug sending problems might be quite sufficient. Murray doesn't like technical discussion at this point, so I will just briefly point out that providing a copy of the key that was used to do the check might be of significantly more use to more people than a flag for DNSSEC usage --- taking that approach would allow senders to understand caching issues DNS outages, not just DNS poisoning attacks - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBZ30sQGHfC/FfW545EQLceQCeMSwga0D+a5zO4jHPn0I04nW+rhoAnAtL 46BHM6QDjGTHW0xFwOPDeKyk =+npI -----END PGP SIGNATURE----- _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
