[ietf-dkim] Re: 1368 straw-poll
paul.hoffman at domain-assurance.org
Mon Feb 26 10:38:29 PST 2007
At 10:10 AM -0800 2/26/07, Dave Crocker wrote:
>Paul Hoffman wrote:
>>At 8:48 AM -0800 2/26/07, Dave Crocker wrote:
>>>The proposed mechanism incurs an additional lookup for every signed message.
>>You keep saying this without justifying it. Others have shown it to
>>be wrong. Please stop repeating it or support your statement.
>Actually, they haven't.
Well, at least I have. If a recipient gets a message with a valid
signature, they never need to look up an SSP record. That refutes
your statement pretty fully, doesn't it?
>>>2. Unless I'm missing something pretty basic, the duration of a
>>>transition is the time between the last message is signed with an
>>>algorithm and the signer deletes the key record. For DKIM
>>>intended use, I believe this duration will be in the range of 3-10
>>>days. If I'm wrong, it would help for someone to explain how.
>>Simple: we allow signers to sign with multiple algorithms.
>>Therefore the transition can last as long as the signer wants. It
>>is possible that this might be many years.
>Were DKIM intended to have signatures that lasted years, that might
>make sense. Since it isn't, I am pretty sure it doesn't.
And you would be wrong. If I am signing a message with both A and B,
it doesn't matter how long the key for each signature lasts; the
transition lasts for as long as I am using both algorithms. This is
no different than any other security protocol.
--Paul Hoffman, Director
--Domain Assurance Council
More information about the ietf-dkim