Re: replay, revocation, repudiation, was RE: [ietf-dkim] On per-user-keying

[Earl Hood <earl@xxxxxxxxxxxx>]

On August 11, 2005 at 12:57, SM wrote:

> >I'm not sure why Phillip thinks DKIM requires a full-on PKI. Isn't
> >publishing and removing short-lived keys in the DNS sufficient? Key
> >removal provides a simple repudiation mechanism, if the TTLs are suitably
> >short.
> 
> Key removal may also affect valid mail that has been sent during that 
> time.  Key removal may not be an adequate repudiation mechanism, 
> especially for large domains.  If the TTL is too short, we lose the 
> benefits of DNS caching.

Are we refering to key revocation or repudiation here?  There is a
definite relationship between the two, but removal of keys in DNS (or
better, an explicitly revocation marker is provided), just denotes
a key has been revoked.  Repudiation will depend on the message(s)
themselves and who wants to repudiate a specific message (or messages).

If I am not mistaken, only people can repudiate.  Repudiation is a
human (and possibly a legal) process, and appears to be outside of
the scope of DKIM.

Or am I mistaken in my understanding?

--ewh