[ih] DKIM history, was IETF relevance (was Memories of Flag Day?)

Michael Thomas enervatron at gmail.com
Wed Aug 30 15:49:35 PDT 2023


On 8/30/23 3:10 PM, Steffen Nurpmeso via Internet-history wrote:
>
> Unfortunately i never believed something like Let's Encrypt will
> work out for S/MIME, even though the IETF has produced a standard
> which could.
> (Having said that i would push all that onto DNS myself, so that
> CA pools in the end contain DNSSEC certificates of top level
> domains, and root servers (the diversity of which should be
> increased).)

After all this time, what we can say absolutely is that certs don't 
scale to users/clients. If the premise of your protocol is that they do, 
you have written a dead letter.


>    ...
>   |So yes, it was a mistake. We could have a had a very secure solution
>   |with proven and widely deployed technology with a pattern that could be
>
> Having said that, i always _truly_ hated DNSSEC, especially TSIG.
> But shipping certificates via DNS i would have admired.  SMIMEA,
> OPENPGPKEY.  And a way to testify it, like we now see more and
> more, that people send PGP signed email like
>
At the time we had to decide between the DK approach using DNS and the 
IIM approach using a web server, DNSSec was "just around the corner" as 
I recall. The history lesson with IETF should be to use the bird in 
hand. We should have pushed back more at the time but what we really 
didn't want was a long protracted fight. We got the things that we 
wanted integrated in and more or less flipped a coin on DNS/HTTP. Turns 
out the coin flip was wrong.

Which is why it's so vile for some people to insinuate that IIM had no 
value. The fact that it was convergent evolution strengthened the case 
that we should standardize something as expeditiously as possible. The 
fact that Murray and I interoped a few days after the first cut of the 
merge was done shows how close the ideas aligned.

Mike








More information about the Internet-history mailing list