On 04/14/2006 12:26, Douglas Otis wrote: > On Apr 14, 2006, at 5:56 AM, Hector Santos wrote: > >>> Unless it has help from the backend server, offline mail systems > >>> will not work very reliably when keys are being changed. > >> > >> Should DKIM require services beyond DNS for verification? > > > > Is this a trick question? :-) > > > > In contexts of the offline MUA, for it to work reliably, I would > > think it will need from feedback from the work done in the backend > > (ISP, ESP, Mail Host). > > > > Otherwise, how would get your Offline Mail Reader to work correctly > > with DKIM when you have the problem of unknown key revocation? > > While not on-line in the sense of continuous connectivity, an > intermittent POP or IMAP connection would likely also have concurrent > access to DNS for resolving such Internet services. > > With what you are suggesting, it would seem these DNS records will > not be retained for a period adequate for protecting IMAP or POP > transit unless some alternate repository of keys is obtained. > > >>> The only way I see to reduced this is to increase the frequency > >>> of your pickup times so that is closer to real time. At pickup, > >>> the DKIM plug-ins do their work. So even if you are away on > >>> vacation, your computer is still on and doing its mail pickup. > >> > >> Access to email can occur at fairly slow rates. A delay due to a > >> short vacation suggests typical transit times may easily span > >> several weeks. Not every MUA is continuously on-line. > > > > Agree. The point was, with today's software, the current DKIM > > specs, fixing or at least reducing the problem, would be to make it > > do higher frequency pickups. > > One simple solution would be to change the recommendations and ensure > a reasonable period for accessing keys to enable protections over > IMAP and POP transit. A recommendation might be changed to weeks > rather than days. > > > I don't see any other solution for the person who wants to use DKIM > > with his offline mail reader and isn't getting any help from this > > host. Do you? How will you pull this rabbit out of the hat > > without having a higher frequency pickup? > > What problem is being solved by rapidly removing the availability of > keys? > > > What would be the "recommended frequency" for the DKIM ready MUA? > > This is limited by human interaction and as such, is necessarily slow. > > > Is this information that should be added to DKIM-BASE? Maybe. But > > then I will have to stop telling some of some of my users to top > > polling our pop server every freaking minute! <g> > > A faster polling rate for an MUA is a not a solution. : ( > I think this whole sub-thread highlights the impossibility of designing DKIM as an completely reliable MUA level tool. While it may be useable in the MUA, I think the target of the protocol design should remain squarely in the MSA-MTA-MDA relm.
In terms of other MUA level timing sources, IIRC, the original Microsoft Caller ID for E-mail specifications recommended keeping things published in their DNS record for 30 days beyond when they had last been used. If you want to target MUAs, then that's probably about where you need to be. >From a protocol design perspective, I think the right answer is to design for the case where the receiving MTA/MDA will check the signature and record a result that, if appropriate, an MUA can use. Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
