On 09/09/2010 09:57 AM, Mark Martinec wrote: > Mark Delany wrote: >> I believe the general thrust is that DKIM keys are ephemeral >> so no one should rely on there long-term presence. [...] > > With each key there is an associated selector:domain pair, > so with a key rotation comes the change of a selector. > Such a purpose of a selector is clearly documented in the > DKIM rfc. > > Rumor has is that some large players (such as Yahoo!) are > disregarding such ephemeral property of a selector and > are trying to associate a reputation scheme based on both > the domain *and* the selector. If such approach catches up, > it would mean the end of a free choice of domains to roll up > new signing keys periodically. > > Are my worries warranted? Is there anything than can be > done about it to prevent such practice?
I'm pretty sure that Mark isn't an advocate such a practice, but let's face reality here: RBL's use IP addresses which are far more transient yet we somehow cope. And I don't think that one of the worst problems with RBL's vs. IP addresses (collateral damage when IP addresses change hands) even applies here. But if a reputation service isn't prepared for key rollover on selectors, I'd look for another one because they're incompetent. What else is a DKIM signer supposed to do if a key compromised? Blast out memory eraser rays? Mike Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
