Oddly enough end user signatures are easy precisely because of the reasons John states.
You have to implement key management and the key management can talk to the dns.
XKMS solves these problems wonderfully. The corner cases are the ones in between. There is just enough effort required to be a PITA but not enough to justify a new infrastructure.
On the admin side where I depart from many in this group is the level of tollerance I have for convoluted admin procedures. First as a security specialist my experience is they screw up in insecure ways. Second not being a paid consultant I see no reason to tolerate high admin overhead.
The deployment scenarios that interest me these days are deployments in areas like afghanistan or iraq, places I have no intention of making site visits to, I am out of that sort of thing these days.
Sent from my GoodLink Wireless Handheld (www.good.com)
-----Original Message-----
From: John Levine [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 30, 2006 07:37 AM Pacific Standard Time
To: [email protected]
Cc: [EMAIL PROTECTED]
Subject: Re: [ietf-dkim] Delegated signatures in real life
>In addition, I would also note that it is extremely easy in a group like
>this to lose track of how non-technical many domain owners are today.
Right, and that means that they use someone else to provide their
mail service.
Keep in mind that DKIM, unlike SPF, requires the active participation
of whoever runs your outgoing mail server to apply signatures, unless
you are enough of a weenie to run a signing engine in your MUA and do
your own key management. For the vast majority of non-technical
users, their ISP or hosting company's MTA will apply its own
signature, and that will be good enough. Indeed, it will probably be
better than a tiny domain's own signature, since whatever formal or
informal reputation systems recipients use are much more likely to
have entries for the ISP than for a tiny domain that sends 12 messages
a week.
I suppose it is hypothetically possible that providers will upgrade
their MTAs to support per-domain DKIM signing and out of perverse
hostility won't offer the DNS support for it. That has never
impressed me as a scenario likely enough to be worth inventing a new
mechanism with unknown security problems that has to be implemented by
all DKIM recipients.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
