[ietf-dkim] Certifying the DKIM public key?
hsantos at isdg.net
Sun May 22 20:26:27 PDT 2011
John R. Levine wrote:
>> But this is exactly what DKIM is. You prove yourself fsvo "prove"
>> to the registrar who "certifies" you by virtue of placing your NS
>> records in the root servers instead of issuing a cert.
> Registrars, as we all know, rarely check any credential beyond the
> confirmation code from the credit card charge.
hmmmm, doesn't that depend on the cert being purchased? There is a
higher due diligence done for the more expensive "seal" which comes
with a higher indemnity. AFAIK, depending on your PCI level, you
can't get the "el cheapo" cert like the Turbo SSL offered by GoDaddy
because auditors will fail you.
> I'm still not seeing what a cert provides that couldn't be handled by VBR
> or another DKIM signature by the certifier.
+1, I think VBR can address the "wildcard" signer which may not be
desirable (by the receiver and by an 3rd party authority). But I
think you answered this in your RFC security session:
The receiver of a message with a VBR-Info header field MUST ignore
certifiers that it does not trust; otherwise, a bad actor could just
add an authority that it has set up so that it can vouch for itself.
No matter what, like everything else, there needs to be a "White List"
of VBRs that is either defined locally or via a centralized source.
The problem, unlike the browser market, is that SMTP vendors do not
have a common source to do this and even then, they may only want to
do this for selected VBR records, Author Domains and signers.
Hector Santos, CTO
More information about the ietf-dkim