Include a proof that a key really belongs to a user id (DKIM)

[eriktews]

Hi

So at the moment, as I understand key transparency allows basically everyone to claim that he owns a specific email address. At some point of the development, there was the idea of using DKIM as a kind of proof that the address really belongs to that key. When DKIM is supported by a specific domain which also uses DNSSEC, you should be able to collect a signed email and a copy of the DNS records, that can be verified up to the DNSSEC root key.

So it looks like this (on a small scale) has already been suggested in https://github.com/google/key-transparency/issues/90 and some changes have been made to the code, but it has been refactored and/or removed again.

My suggestion would be to also include a proof using DKIM in the log. This might consist of an email written by the user that is signed with the key and also signed with DKIM. In addition the DNS records including DNSSEC could be collected so that there is also some proof that really this DKIM key was used which can be verified later on.

[gdbelvin]

Thank you for the suggestion. The core/authentication module is designed to provide a flexible API for authenticating new accounts. The team has considered DKIM at various points and may add it in the future if we can do so securely.

[eriktews]

Great, I would even consider adding DKIM from time to time to proof that the email address is still "fresh".

Regardings DKIM, always also logging the DNS records with the DKIM key with DNSSEC would be great.

Erik