One of the key assumptions that was made 20 years ago is that DNSsec would ultimately be deployed and thus could be counted on to secure fetching the the DKIM selector record. That has turned out to have been a bad assumption. It's sort of a glaring hole, IMO for a security protocol to not have cryptographic evidence of provenance. The original IIM protocol didn't count on DNS beyond looking up a server which is common practice these days given TLS/certs and using the existing authentication hierarchy for the web, etc. Fixing this could be a non-breaking change.
Mike _______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
