If your key is compromised, generate another and publish it on DNS. On Fri, May 3, 2019, 19:43 Grant Taylor <gtay...@tnetconsulting.net> wrote:
> On 5/3/19 5:10 PM, Kevin A. McGrail wrote: > > I guess if you lose control of your keys and/or your DNS is compromised, > > then yes, you have a DKIM issue. > > This brings up a non-repudiation issue introduced by DKIM. > > How can you successfully refute a DKIM-Signature if someone has your > signing keys. > > My quick skim of parts of RFC 6376 makes me think that it is dangerous > and discouraged to associate authentication based on DKIM-Signature, > even when the d= SDID (?) matches the From: header. > > Yet even more reason to reread RFC 6376 before replying to Bill's email. > > Presently I'm comfortable in thinking that DKIM-Signature validation > meaning that the message has not changed in transit. I'm not (yet) > comfortable drawing any conclusions about authentication. > > > > -- > Grant. . . . > unix || die > >