Mark Delany wrote:
> On Sat, Sep 04, 2010 at 01:41:41PM -0700, Steve Atkins allegedly wrote:
>
>> Do we have any thoughts on 1. how often keys might sensibly be
>> rotated and 2. how long public keys should remain visible after the
>> private key has been rotated out?
>
> I believe the general thrust is that DKIM keys are ephemeral so no one
> should rely on there long-term presence. Your verifying MTA should
> annotate inbound mail appropriately so that subsequent reliance on the
> public key is not needed. Authentication-Results header being a good
> place to store what is needed here.
>
> (I know you know this, Steve. I'm just setting the stage).
>
> In that light, I would expect that a public key only needs to stay
> around as long as an email can remain in-transit plus some
> fudge. Maybe seven days or thereabouts?
I believe this was the general view when it was this discussed back in
2006
few years back.
I also wrote an I-D called DKIM-RCVD describing the "time shifting"
issue and a possible solution to address it using a "DKIM-Received:"
header idea:
http://tools.ietf.org/html/draft-santos-dkim-rcvd-00
A proposal offering partial DKIM verification support to help
resolve premature DKIM signature expiration and key revocation
related problems associated with time shifted DKIM verifier
applications.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
