[ietf-dkim] editorials and nits

Michael Thomas mike at mtcc.com
Tue Jul 4 07:36:40 PDT 2006 

Stephen Farrell wrote:

>
>> I don't see DNS as a "third party" in the same sense as a CA for 
>> certs.  Yes, DNS has to work, but it isn't a third party (unless you 
>> want to count the root servers, I suppose).  By this logic, we should 
>> also include the multiple third parties that run the routers and all 
>> the rest of the infrastructure.
>
>
> In my little PKI-riddled mind, the DNS is a TTP since it supplies the
> public keys and if/when DNSSEC were used, it starts to look quite like
> a PKI. The routers etc. won't ever really be supplying signed key
> records. But if no-one else thinks the same, leaving as-is if of course
> right.


I think Eric captures the exact nature of the confusion. On purely technical
level, Stephen is right, but on the 'want-to-be-understood' level, 
mentioning
a ttp is good way to get un-understood in a big hurry. And even then people
try to shoe horn "certificates" into our certificateless design and proceed
misunderstanding based on that false premise.

>
> If I go to a conference or IETF, then I generally use its smtp server.
> If someone was used to mail from me being signed by tcd.ie and suddenly
> see mail from me signed by ietf66.org they might react badly. I don't
> want that to happen. (I know that the IETF meeting server doesn't sign
> now, but I guess it may in future.)
>
> So, my point was that I didn't see an example/use-case that mapped to
> the one above.


Sure there is: the first obvious is that you can vpn into you home as
many of us do already and have your home mta's do the signing. However,
the "DKIM" answer is to delegate a key/selector to stephen.farrell at cs.tcd.ie
(probably with g=stephen.farrell; ) and allow your own selector do the job.
I've been wanting for quite some time to hack up a thunderbird plugin that
can do exactly this.

>
>>> #6 3.6.1 "k=" says that the public key is in the "p=" value, but its
>>> actually the modulus.
>>
>>
>> I guess I'm confused.  If this isn't the public key, what is?
>
>
> Me being pedantic again I guess. The public key is the modulus and
> the public exponent (in our case hardcoded to be 65537).


Wouldn't it actually be better to just say that it's the PEM formated
public key with reference and not give an explanation at all? For a
developer, what I'm looking for is a routine which reads it, and
looking for PEM_xxx is a lot easier than looking for "b64 modulus
with hardcoded public exponent of 65537".

       Mike

>
> _______________________________________________
> NOTE WELL: This list operates according to 
> http://mipassoc.org/dkim/ietf-list-rules.html

More information about the ietf-dkim mailing list