[ih] DKIM history, was IETF relevance (was Memories of Flag Day?)

Steffen Nurpmeso steffen at sdaoden.eu
Wed Aug 30 15:10:38 PDT 2023 

Michael Thomas via Internet-history wrote in
 <632f7f35-45b0-18ad-e7e1-8efb0163ae3c at gmail.com>:
 |On 8/29/23 8:04 PM, John Levine wrote:
 |> It appears that Michael Thomas via Internet-history <enervatron at gmail.co\
 |> m> said:
 |>>> I also have no idea what your reference to DNSSec and Domainkeys is
 |>>> about, since DK didn't involve DNSSec.
 |>> IIM protected the integrity of fetching the key record using TLS. DNSSec
 |>> was never deployed widely. So yes, by all means let's ignore that DK's
 ...
 |Email is relatively low value. I'd never trust some DANE implementation 

The great thing about email is, in my opinion, that it can also
have super high value at the same time.
If you sign with S/MIME or OpenPGP, or even encrypt.
DKIM could also be stronger as it is now, by itself.

Unfortunately i never believed something like Let's Encrypt will
work out for S/MIME, even though the IETF has produced a standard
which could.
(Having said that i would push all that onto DNS myself, so that
CA pools in the end contain DNSSEC certificates of top level
domains, and root servers (the diversity of which should be
increased).)

  ...
 |that wasn't protected by DNSSec for my bank, for example. But by 2004 
 |getting a cert onto a web server was completely routine and the number 
 |of web sites using it was immense. It turns out that the overhead of 
  ...

However, that was 20 years ago.  Even the resolver of the small
musl C library now (since last year, with bug fix later) supports
TCP queries; EDNS mysteriously never seem to have made it into
some automatic mode in that C stub resolvers use it if they can.
That could have been pushed forward more massively by everyone.
But even in 2009 RFC 5625 writes

   Research has found ([SAC035], [DOTSE]) that many commonly used
   broadband gateways (and similar devices) contain DNS proxies that are
   incompatible in various ways with current DNS standards.
  ...

and gives advice.  Also 14 years.  In respect to this i think
a re-evaluation might find that an elder protocol can be improved
simply by taking into account the growing number of domains which
use those features.
For example "dig X rrsig" for FreeBSD.org and NetBSD.org gives
good results, yet funnily ietf.org does not.  (Unless i am
mistaken.)

  ...
 |So yes, it was a mistake. We could have a had a very secure solution 
 |with proven and widely deployed technology with a pattern that could be 

Having said that, i always _truly_ hated DNSSEC, especially TSIG.
But shipping certificates via DNS i would have admired.  SMIMEA,
OPENPGPKEY.  And a way to testify it, like we now see more and
more, that people send PGP signed email like

    | TEXT
    | PGP KEY
    PGP SIGNATURE 

Ie where the signature covers its own key.  That is brilliant!
That easy it can be!

Sometimes, you have to clean up.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the Internet-history mailing list