[ih] DKIM history, was IETF relevance (was Memories of Flag Day?)

Steffen Nurpmeso steffen at sdaoden.eu
Thu Aug 31 13:37:42 PDT 2023 

Michael Thomas via Internet-history wrote in
 <488194c0-15ba-0b6a-de00-ba280cfa2b1a at gmail.com>:
 |On 8/30/23 3:10 PM, Steffen Nurpmeso via Internet-history wrote:
 |>
 |> Unfortunately i never believed something like Let's Encrypt will
 |> work out for S/MIME, even though the IETF has produced a standard
 |> which could.
 |> (Having said that i would push all that onto DNS myself, so that
 |> CA pools in the end contain DNSSEC certificates of top level
 |> domains, and root servers (the diversity of which should be
 |> increased).)
 |
 |After all this time, what we can say absolutely is that certs don't 
 |scale to users/clients. If the premise of your protocol is that they do, 
 |you have written a dead letter.

That i do not understand.  Where is the difference to today
regarding "scale"?

Whether you have a totally detached (commercial, only very, very
few governments (left)) CA pool and per-(sub(-sub(...))-)domain
certificates signed by a pool member, or a CA pool with root
server and some top level domains?
The latter can even be automatically, and partially, refreshed.

I am not a network expert and not deeply within the RFCs, but the
IPSec infrastructure and (its) P(ublic)K(ey)I(nfrastructure), as
well as the DNSSEC infrastructure do this?
(Certification Authority (CA) Key Rollover in the Resource Public
Key Infrastructure (RPKI), RFC 6489.
DNSSEC Operational Practices, Version 2, RFC 6781.)

 |>    ...
 |>|So yes, it was a mistake. We could have a had a very secure solution
 |>|with proven and widely deployed technology with a pattern that could be
 |>
 |> Having said that, i always _truly_ hated DNSSEC, especially TSIG.
 |> But shipping certificates via DNS i would have admired.  SMIMEA,
 |> OPENPGPKEY.  And a way to testify it, like we now see more and
 |> more, that people send PGP signed email like
 |>
 |At the time we had to decide between the DK approach using DNS and the 
 |IIM approach using a web server, DNSSec was "just around the corner" as 
 |I recall. The history lesson with IETF should be to use the bird in 
 |hand. We should have pushed back more at the time but what we really 
 |didn't want was a long protracted fight. We got the things that we 
 |wanted integrated in and more or less flipped a coin on DNS/HTTP. Turns 
 |out the coin flip was wrong.
 |
 |Which is why it's so vile for some people to insinuate that IIM had no 
 |value. The fact that it was convergent evolution strengthened the case 
 |that we should standardize something as expeditiously as possible. The 
 |fact that Murray and I interoped a few days after the first cut of the 
 |merge was done shows how close the ideas aligned.

Oh, i cannot comment on this DK / IIM issue.

All i would hope for is that mailing-lists and others which need
or want to adjust messages on the fly would finally be enabled to
do so again, when they take part in DKIM (alone, besides ARC or
DMARC that many do not use, and surely would love staying away
from also in the future), as on ietf-dkim.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the Internet-history mailing list