Hector, I'm having trouble here:
> >From the innocent verifier standpoint, its goal in DKIM might include: > > - Address the malicious transaction problem, > How, and why is this the best method (as opposed to either removing the selector from DNS or having the x= value within the key record itself)? > - Quickly disseminate the bad from the good, > Again, how? And I don't think you meant disseminate, but discriminate. Does a message suddenly become "bad" because the signature expired? And what do we mean by "bad" here? If it is because the key will likely be cracked over some period of time, wouldn't a verifier understand this based on the key type, and why would it distinguish one domain from another in this case? If it is not because the key is cracked, then we are into non-repudiation which is out of scope. > - Reduce overhead, > You're talking about DNS queries? I'm not sure I see it. I would expect the VAST majority of queries to occur within days if not minutes. > - Protect customers/users, > >From what? > - Help protect DKIM domains as a standard consistent protocol. > I'm sorry, I don't understand this either. > In short, address the global spam problem. > > Does expiration contribute for this purpose? > > >From a verifier standpoint, it is looking to be told what is bad mail. It > wants every piece of information the domain can expose to communicate levels > of control. > > >From a signer standpoint, If the domain is saying the expiration is one > such control to invalidate a signed transaction, then it is not up to the > verifier to decide if its useful idea or not. The verifier will not know > the "true intent" of the domain's control here. Why should the verifier not > honor it? > I'd be happy with this logic if you could give me a single legitimate purpose for this. Thus far I haven't heard any. > This is also addresses your previous question regard the application usages > and there they serve any useful purpose. That all depends on your role. > > I apologize if this short answer doesn't fully describe my overall opinion, > but I will say that DKIM is short on controls or fail detection ideas in > DKIM. > > What is unique about Expiration is that it is probably the only clear item > in the DKIM protocol that helps with failure detection: > > expiration ----> clear definition for invalid, > no verification required. > But what does this mean? If I am an administrator how would I use this to provide either myself or the recipient with some value? What does it mean for a signature to have expired in this context? Does it mean that the message is less trustworthy than it was prior to expiration? Please show me a real use case. Thanks, Eliot _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
