[ih] DKIM history, was IETF relevance (was Memories of Flag Day?)

[John Levine]

It appears that Michael Thomas via Internet-history <enervatron at gmail.com> said:
>> I also have no idea what your reference to DNSSec and Domainkeys is 
>> about, since DK didn't involve DNSSec.
>
>IIM protected the integrity of fetching the key record using TLS. DNSSec 
>was never deployed widely. So yes, by all means let's ignore that DK's 
>security for fetching the selector never materialized where IIM got it 
>right using TLS. Alice, Bob and Eve entered the chat.

Depends on what your goals are. At least until Let's Encrypt came
along, TLS certs were a lot harder to deploy than just publishing a
key record in the DNS. People use DKIM to associate a domain with a
message to develop reputations for mail filtering, not for stronger
assertions or non-repudiation. For that purpose it's been a wild
success, partly due to its relatively easy deployment. 

On the other hand, if you want high strength certificate signatures on
your mail, S/MIME has always been there and is notable for its lack of
use outside of some niche applications.

I don't think I've ever seen the kind of attack that DNSSEC defends
against in the wild, certainly not against DKIM records, so in
practice it's secure enough. Perhaps by accident we made the right
tradeoff.

R's,
John