On 05/22/2011 08:02 AM, Dave CROCKER wrote: > > 3. As noted, certification was explicitly de-coupled from DKIM. I'll claim > that > it really is a separate, value-added service and any support of it should be > through a separate, value-added mechanism. My own preference would be for > using > a special header-field that contains the cert, with the specification of using > such certs as saying that they are enabled when included in the set of h= > covered header fields. >
Well, x.509 style certification certainly was. But using DNS is a form of certification which is arguably not much worse than going to godaddy and proving that you can receive email from the domain or whatever weak tests they use to establish that you have control of the domain. The weak part of DKIM/DNS chain isn't the certification part (if you believe that godaddy et al aren't problematic), it's the lack of data integrity in the transport of the dkim rr. Which can be solved with DNSSEC. Given how problematic x509 has been for people to get their heads around, I think that DKIM has done a service in providing an alternative mechanism/trust root for establishing identity that is workable and especially with its solution to the revocation problem. Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
