[41414] in cryptography@c2.net mail archive
Re: DNS/DNSSEC as an inbound mail signature public key distribution
daemon@ATHENA.MIT.EDU (Thierry Moreau)
Fri Sep 8 10:36:47 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 07 Sep 2006 10:57:07 -0400
From: Thierry Moreau <thierry.moreau@connotech.com>
To: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <A4786E83-F86D-4807-87A2-1235A7CE4646@callas.org>
Jon Callas wrote:
>
> [... about DKIM ...] The signature travels with the message and
> the signing key is in the network. As long as you have both, you can
> verify the signatures.
>
"the signing key is in the network" --> Indeed. The public signature key
is stored in the DNS.
DKIM might be the first widely deployed application to use the DNS as
the preferred means of distributing public keys.
*Authenticated* public key distribution would need an upgrade of the DNS
with DNSSEC deployment.
Perhaps it is time for discussion groups like this one to take a look at
DNSSEC (RFC4033 / RFC4034 / RFC4035) and review its security principles,
trust model, deployment challenges, HMI (Human Machine Interaction)
aspects, etc.
Look at
http://www.circleid.com/posts/dnssec_deployment_and_dns_security_extensions/
or query your favorite web search engine with "DNSSEC".
Good reading.
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1
Tel.: (514)385-5691
Fax: (514)385-5900
web site: http://www.connotech.com
e-mail: thierry.moreau@connotech.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
