> On Jun 11, 2016, at 2:38 PM, Brandon Long via mailop <[email protected]> > wrote: > > Why rotate keys that often? >
Because the main attack against DKIM signatures is (ex?) staff walking off with the key pairs. It's not a _big_ risk, in most cases, I don't think, but it's the main one if you're using keys of a reasonable size. > And why pull the public one if you do? That's how you invalidate the old key, mitigating the stolen key problem. The point of cycling keys is to invalidate old ones. Cheers, Steve > > Brandon > > > On Jun 10, 2016 3:59 PM, "Ted Cooper" <[email protected]> wrote: > On 11/06/16 05:02, Michael Wise via mailop wrote: > > Well, the From: domain would be a good start. > > > > It would certainly cut down on the trivial forgeries, and could easily > > be transferred from the web to email with a single mailto: link. > > Any signed DKIM message can only be authenticated while the key remains > in DNS - I cycle mine once a month, and pull the key after that. Once it > is no longer available, the signature may as well be made up. > > > > _______________________________________________ > mailop mailing list > [email protected] > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > _______________________________________________ > mailop mailing list > [email protected] > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop _______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
