On Sun, Apr 11, 2021 at 4:13 PM Michael Thomas <mike@xxxxxxxx> wrote:
On 4/11/21 12:56 PM, Phillip Hallam-Baker wrote:
On Sun, Apr 11, 2021 at 3:34 PM Michael Thomas <mike@xxxxxxxx> wrote:
e already have a widely adopted example where we ignored the webpki folks too: DKIM.
That is completely false. I was a member of the DKIM working group and its predecessors. Two years before the DKIM WG was started, I designed a DNS based key credentialing scheme together with a major technology vendor. This was demonstrated to Yahoo by my CEO, Stratton Sclavos before the date of the Yahoo patent claim.
Uh, Jim and I didn't use certificates in the design of IIM and neither did Mark with DK. Since the three of us were the basis of the combined protocol
I am very surprised that you are unaware of the Sender-ID protocol. Surely Jim mentioned it to you. That was joint work with a third party. We agreed not to put our proposal on the table so as to make it easier for work to proceed.
I don't remember when we became aware of sender-id. i don't know
what it has to do with anything either.
We showed Jon our design before we released it as a sanity check. At no time did he say anything about certificate based approaches.
Again, you assume that VRSN was only interested in certificates.
It is a big part of their business model.
DKIM was designed for SMTP and SMTP alone. It is not a model that can be generalized to other protocols and we knew that at the time. It is certainly not a pattern I would want people to repeat as a paragon.
The key fetching mechanism was purposefully made agnostic. We
always envisioned it as being useful for other key distribution
needs.
IIM was a better approach if you wanted to go for policy. The web-service-discovery draft above is basically taking ideas from IIM and Stuart Cheshire's DNS Service Discovery work.
Given where we are now with all SMTP using STARTTLS, I would probably look to implement TLS client auth instead which would allow fast restart to amortize the public key operations. But thats not where we were then.TLS doesn't do anything to help the end-to-end authentication.
DKIM provides 'middle to end' authentication, not end to end. Since it is (usually) checked only in the middle, middle to middle might have been as good a choice.
The point remains: DKIM brought something that goes beyond point
to point to anchor reputation on.