> Jonathan Clark wrote: >>>> When moving to a new key for a domain, may the same selector be used, >>>> or is the signer required to use a different selector? >> >>> You must use a new selector. Otherwise, depending on cache etc, you >>> might get indeterminate results. >> >> If this is the case, doesn't it finesse the whole multiple-signature debate?
> I don't understand why that'd be the case given that each signature > "points" at its own selector. [ Also having this discussion with Doug Otis offlist... ] My thought here was that the primary use of multiple signatures is for rolling keys (and/or algorithms). You slap a new key under the existing selector and sign messages with both keys, so preserving signature validity for old messages. Doug points out that squeezing 2 keys into one (TXT?) record may be a tight fit :-) Now if you put the new key under a new selector, old messages keep pointing to the old selector, and new ones now point to the new selector, so there's no point to having multiple signatures for this usage. Doug points out that there are other reasons for multiple signatures, such as redistribution (listservs, forwarding), and I suppose he's right. BTW this changes my view of whether "x=" is valuable - if it really is one key per selector, then I no longer think that "x=" is valuable. Jonathan _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
