On Wed, 10 Aug 2005 09:53:37 -0500, Arvel Hathcock wrote: > Suppose you get an unsigned message and DNS lookups fail for whatever > transient reason.
It is probably worth our considering how well or poorly DKIM works under different modes of connectivity. Some models require all participants to be online at the same time, with continuous connectivity throughout the activity. A VOIP telephone call is an example. (I tend to think that the Web is, too, but that's a more complicated discussion, what with asynchronous publishing and proxies confusing things.) Others tolerate highly asynchronous access and interrupted connectivity. Email is the obvious example, but also note the Delay Tolerant Networking (formerly Interplanetary Internetworking) effort as an extreme. So, the issue you are raising is about the ability of the Validating Agent to access the key server... ummmm, errrr... the DNS.... in real time. (Given that DKIM rides on email, the model does not require that Signer and Validator be online at the same time.) I think that the only other real-time dependencies that the core email service has on the DNS is the outbound process of finding MX records, and of course, the various receive-time SMTP server matchings of the incoming IP Address against various DNS-based records. This argues for doing key-retrieval by a component in the receiver's Administrative Environment that operates with the same connectivity as the receive-time SMTP server... However it does not *require* it. There is nothing preventing validation from being done by a component with highly discontinuous access that does not match the access of the mail-receiving component. However it makes use of the signature more challenging. d/ --- Dave Crocker Brandenburg InternetWorking +1.408.246.8253 dcrocker a t ... WE'VE MOVED to: www.bbiw.net _______________________________________________ ietf-dkim mailing list [email protected] http://mipassoc.org/mailman/listinfo/ietf-dkim
