DNS/DNSSEC as an inbound mail signature public key distribution mechanism (was: signing all outbound email)
Thierry Moreau
thierry.moreau at connotech.com
Thu Sep 7 10:57:07 EDT 2006
Jon Callas wrote:
>
> [... about DKIM ...] The signature travels with the message and
> the signing key is in the network. As long as you have both, you can
> verify the signatures.
>
"the signing key is in the network" --> Indeed. The public signature key
is stored in the DNS.
DKIM might be the first widely deployed application to use the DNS as
the preferred means of distributing public keys.
*Authenticated* public key distribution would need an upgrade of the DNS
with DNSSEC deployment.
Perhaps it is time for discussion groups like this one to take a look at
DNSSEC (RFC4033 / RFC4034 / RFC4035) and review its security principles,
trust model, deployment challenges, HMI (Human Machine Interaction)
aspects, etc.
Look at
http://www.circleid.com/posts/dnssec_deployment_and_dns_security_extensions/
or query your favorite web search engine with "DNSSEC".
Good reading.
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1
Tel.: (514)385-5691
Fax: (514)385-5900
web site: http://www.connotech.com
e-mail: thierry.moreau at connotech.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list