On Tue, May 16, 2023 at 7:00 AM Jan Dušátko <jan= 40dusatko....@dmarc.ietf.org> wrote:
> 1) At this moment, the use of the tag "v=DKIM1;" is only RECOMMENDED and > if this tag is used, it must be the first. Unlike, for example, SPF and > DMARC, this is not a REQUIRED (MANDATORY) record. In case of an attempt > to identify DKIM records, then there is a situation where it is not > possible to determine which records are DKIM keys. Often, these keys are > in other places where they allow to create CNAME to the expected > location of the selector. These locations may be application dependent > or may be with third parties configuration. From my perspective, > MANDATORY record "v=DKIM1;" could help to identify DKIM keys much easily. > I don't get the impression that identifying a record that contains a valid DKIM key record is hard. The ABNF is pretty clear. It's certainly easier to say "does this start v=DKIM1;?" than it is to run a full parser on it, but I imagine if you try to stuff a random string through a DKIM key parser, it'll know pretty quickly most of the time that the record isn't valid given the second character pretty much has to be "=" which is going to trim a lot of cruft right away. Also, a change to make this REQUIRED would take forever for the world to adapt. There's a great deal of inertia out there, and the benefit of such a change isn't going to be obvious to the broader community, so you're going to find records in the current format for years to come, and implementations would justifiably accept the old format for some long transition period. Are you talking about DKIM records out in the general Internet, or only within domains you control? > 2) Is it possible to specify precisely under which conditions the DKIM > key is valid? Some third party records contain only an empty record "", > others contain only revoked key like "p=" or it is a reference to a > non-existent record. Unfortunately, RFCs do not provide unambiguous > information on under which conditions this record is invalid. From my > perspective, use of non-existing records or empty strings can draw that > key useless, but rules specifying that in RFC or BCP will be welcome. > I disagree that this is ambiguous. An empty string isn't a valid DKIM key record. An empty "p=" value is a valid DKIM key record indicating "there was a key here, but it's been revoked". > 3) The "p=key" information containing the key material information > encoded by Base64 should occur in the key exactly once. I did not find a > condition in RFC for the existence of this record. I found only > information on implementation behavior, when "p=", i.e. an empty key > material, is considered revoked. However, it is not unambiguous whether > this approach is acceptable. Also specification of that rules can make > my life much easier. > I also disagree that this is ambiguous. The RFC is pretty clear about what an empty "p=" means. -MSK
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
