On 1/7/25 6:40 PM, John Levine wrote:
It appears that Michael Thomas <[email protected]> said:
But first, I hope we are all aware that the vast majority of https certificates
are signed automatically using ACME. How does ACME validate the domain names it
signs?
This doesn't make any sense.
ACME certs are validated using ordinary non-DNSSEC DNS lookups.
For identifying the far end, there is no difference between using a cert and
looking up the name in the DNS, since the cert is just a roundabout way of doing
the same DNS lookup.
If you're talking about "trust but verify", that's entirely the point.
DKIM with DNSSec doesn't have a mechanism to "verify" the provenance
when DNSSec isn't deployed. But I have no idea what an ACME cert is. I'm
pretty sure that's not a term d'arte.
But this is getting rather far away from the charter discussion where I see
no interest whatsoever in changing the way DKIM keys are looked up in the DNS.
Are you a wg chair? IESG? It's not your bailiwick to shutdown discussion
especially in light of that the general talk is about revamping DKIM
generally to make it better when there isn't even an agreed upon charter.
A charter should be an open ended negotiation on what work will be taken
up. You can have an opinion but not an attitude.
Mike
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
