[Top] [All Lists]

Re: [dkim-ops] dkim key "x=" expiration tags -- not in wide use, or need additional config?

2018-01-01 20:59:34
On 1/1/18 4:26 PM, John R. Levine wrote:
Are "x=" tags simply not in wide use for validity checks?

I've been saving the DKIM signatures from mail to my personal inbox for a while.  Of 33,464 signatures, only 708 have x= tags.

An informative stat datapoint.

I'm not surprised.

TBH I am a bit ...

It's hard to think of a scenario where there is a realistic use for x= other than senders that imagine that it is "more secure".

No more imaginary than DKIM verification/validation itself.

The use case seems fairly straightforward -- simply providing another verification point for verifiers. If verified after expiry, it's obviously a problem.

What I do now realize is that my initial problem's PEBKAC.

The 'after _intended_ key expiry' case is dealt with by simple key rollover.

The "x=" tag added at signing-time appears to address a slightly different case.

My signer's OpenDKIM -- and apparently needs to have 'SignatureTTL' set in its config before it'll add the "x=" tag at all. It's got nothing to do with planned key rollover dates.

In OpenDKIM, at least, it's a *fixed* value. It can't, afaict, be passed in key/signing table data on a per-key basis. What it supposedly addresses is delay between receipt and DKIM verification; a suspect, if not conclusive, behavior.

What I'm lacking so far is any data showing that issue's prevalence, or lack thereof.
dkim-ops mailing list

<Prev in Thread] Current Thread [Next in Thread>