John Levine wrote in <[email protected]>: |It appears that Richard Clayton <[email protected]> said: |> n= is seldom encountered (sysadmins document what they are doing at |> complete different stack levels); | |My n= tag says where the private key will be published after the next key |rotation. But I don't see a practical difference between "ignore n= \ |because it's |a comment" or "ignore n= because it's deprecated." | |> s= was a Good Idea At The Time but other protocols want their own |> key definition schemes rather than piggybacking here; and | |I think it was a lousy idea. If you wanted to publish keys for different |services, use different selectors. If you're checking a mail signature \ |and you |get an otherwise valid key with s= saying it's for, I dunno, SIP, is \ |it more |likely that the key isn't valid for mail, or that the person managing \ |the DNS |guessed wrong? But either way, get rid of it. | |> t= is commonly seen but pointless... | |I agree it doesn't tell the verifier anything useful. If you don't |trust your signing code, don't use it to sign mail sent to other people.
I respectfully disagree. I think it was a very thoughtful and kind idea, since the verifier has to read the record, there is the DNS TTL, and then without any reputation hammering administrators and/or software developers can have a short test run before things get merciless. (Disclaimer: i was very happy to have this option.) --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) | |During summer's humble, here's David Leonard's grumble | |The black bear, The black bear, |blithely holds his own holds himself at leisure |beating it, up and down tossing over his ups and downs with pleasure | |Farewell, dear collar bear _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
