Hello, I've three suggestions on draft-wouters-dane-openpgp-02:
1. email domain providers MUST provide a secure API/interface to customers to provide a personal OpenPGP public key
2. MTAs/SPAM detection systems MUST check if the tupel "sender email address" <-> "sender OpenPGP public key" matches and MUST reject the email in case it does not match with signed messages to prevent address forgery and SPAM.
3. Security considerations: The IANA has control over the DNSSEC root keys. As the IANA is bound to US law, US government agencies probably have access to the DNSSEC root keys and are capable to manipulate the OpenPGP keys signed with DNSSEC.
-- Best regards, Renne Rene Bartsch, B. Sc. Informatics _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
