[ietf-dkim] Certifying the DKIM public key?
Michael Thomas
mike at mtcc.com
Sun May 22 08:20:54 PDT 2011
On 05/22/2011 08:02 AM, Dave CROCKER wrote:
>
> 3. As noted, certification was explicitly de-coupled from DKIM. I'll claim that
> it really is a separate, value-added service and any support of it should be
> through a separate, value-added mechanism. My own preference would be for using
> a special header-field that contains the cert, with the specification of using
> such certs as saying that they are enabled when included in the set of h=
> covered header fields.
>
Well, x.509 style certification certainly was. But using DNS is a
form of certification which is arguably not much worse than going
to godaddy and proving that you can receive email from the domain
or whatever weak tests they use to establish that you have control
of the domain. The weak part of DKIM/DNS chain isn't the certification
part (if you believe that godaddy et al aren't problematic), it's the
lack of data integrity in the transport of the dkim rr. Which can
be solved with DNSSEC.
Given how problematic x509 has been for people to get their heads
around, I think that DKIM has done a service in providing an
alternative mechanism/trust root for establishing identity
that is workable and especially with its solution to the revocation
problem.
Mike
More information about the ietf-dkim
mailing list