Talk:DomainKeys Identified Mail
Jump to navigation
Jump to search
Don't mind me...
But every time I see this title, my brain initially processes it as "Donkey Identified Mail." Howard C. Berkowitz 17:03, 12 October 2009 (UTC)
- Careful there Howard, we're trying to be neutral. :>) This is one of those articles likely to bring some partisans to the discussion. The closer we get to specific methods, the more controversy we can expect. --David MacQuigg 17:16, 12 October 2009 (UTC)
- I actually don't know the first thing about this method. But let's think about Donkey Identification. Wouldn't it be an appropriate certification that something is indeed approved by the U.S. Democratic Party? Couldn't we have Elephant Identified Mail? Howard C. Berkowitz 19:08, 12 October 2009 (UTC)
More seriously
The description confuses me a bit. Isn't DNS security a subset of public key infrastructure, not an alternative? Yes, the primary purpose is to validate the domain information, but one can still get a certificate through DNSSEC, I thought. Howard C. Berkowitz 19:11, 12 October 2009 (UTC)
- There is a debate going on right now on the merits of DNSSEC instead of the current PKI to distribute public keys. See the posts by Lauren Price at http://www.circleid.com/posts/an_authenticated_internet and Howard Eland at http://www.circleid.com/posts/securing_a_domain_ssl_vs_dnssec. The gist of the argument for DNSSEC is that we can piggyback on a delegation structure already in place and guarded with rigor. If the masters of .org certify a pubic key for mydomain.org, we can trust them. We can't trust the existing PKI used in web browsing, because users don't take it seriously when they see a certificate is not trusted, they just click on through. The result has been a lack of discipline by legitimate wehsites in keeping their certificates valid. Better to stash our public keys in DNS. If that ever breaks, the whole Internet will come down.
- As for making DNS security a subtopic of public keys, I would say might be the other way around. If you look at the spectrum of DNS security threats (e.g. Table 10.1 in "Pro DNS and BIND" by Ron Aitchison (best book on DNS in my opinion)), you see that DNSSEC is listed as a solution for only two of the five categories.
--David MacQuigg 21:21, 12 October 2009 (UTC)