Dave Isaacs wrote: > I was wondering if there is an accepted practice for generating DKIM > keys. > > Using openssl to generate DKIM keys is simple and effective, but is > there any value in going a step further and obtaining keys from a > certified CA? I don't see any added value in doing so (as much as I'd > like to say otherwise), since DKIM doesn't require any root of trust. > > Does anybody else have any opinions? > > You can buy your keys if you really want, but there is absolutely no advantage in having your keys signed by a certified CA. See chapter 3.6 from RFC 4871:
Signature applications require some level of assurance that the
verification public key is associated with the claimed signer. Many
applications achieve this by using public key certificates issued by
a trusted third party. However, DKIM can achieve a sufficient level
of security, with significantly enhanced scalability, by simply
having the verifier query the purported signer's DNS entry (or some
security-equivalent) in order to retrieve the public key.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
