[doseta-discuss] Doing a DOSETA variant

[Murray S. Kucherawy]

> -----Original Message-----
> From: doseta-discuss-bounces at trusteddomain.org [mailto:doseta-discuss-bounces at trusteddomain.org] On Behalf Of Bill Burke
> Sent: Wednesday, July 13, 2011 1:58 PM
> To: dcrocker at bbiw.net
> Cc: doseta-discuss at medusa.blackops.org
> Subject: Re: [doseta-discuss] Doing a DOSETA variant
> 
> > If you do the full algorithm, but make l=0, I think you'll get the
> > effect you want, since none of the body will be covered by the signature.
> 
> Yes, exactly :)

I think perhaps DOSETA should be clear about the security exposure of using "l=0", which we've learned from the DKIM experience.  That is, it could say something like: "If you use 'l=0', you SHOULD apply some other mechanism to certify the content of the body is endorsed by the/a signer."

> I also wanted to more cleanly separate the
> verification/canonicalization/signing/signature template description
> from key management/key discovery.  Maybe even into a separate doc.
> Reason?  Other spec efforts may want to sign parts of an HTTP or Email
> message and build off the work done by DKIM.  But, may want a different
> way to deal with key management/discovery.

DOSETA (I think) defines "q=" and gives "dns/txt" as the default.  We could certainly have a registry of extensions that present other possible values for "q=" and what they mean.

We started a few times to add "q=http" for DKIM but it never went anywhere.  I don't recall that we created a registry for possible "q=" values with DKIM, since there's only one.  We certainly could do that with DOSETA, especially if we have a second example to document.