On 1/1/18 4:26 PM, John R. Levine wrote:
Are "x=" tags simply not in wide use for validity checks?
I've been saving the DKIM signatures from mail to my personal inbox for
a while. Of 33,464 signatures, only 708 have x= tags.
An informative stat datapoint.
I'm not surprised.
TBH I am a bit ...
It's hard to think of a scenario where there is a
realistic use for x= other than senders that imagine that it is "more
secure".
No more imaginary than DKIM verification/validation itself.
The use case seems fairly straightforward -- simply providing another
verification point for verifiers. If verified after expiry, it's
obviously a problem.
What I do now realize is that my initial problem's PEBKAC.
The 'after _intended_ key expiry' case is dealt with by simple key rollover.
The "x=" tag added at signing-time appears to address a slightly
different case.
My signer's OpenDKIM -- and apparently needs to have 'SignatureTTL' set
in its config before it'll add the "x=" tag at all. It's got nothing to
do with planned key rollover dates.
In OpenDKIM, at least, it's a *fixed* value. It can't, afaict, be
passed in key/signing table data on a per-key basis. What it supposedly
addresses is delay between receipt and DKIM verification; a suspect, if
not conclusive, behavior.
What I'm lacking so far is any data showing that issue's prevalence, or
lack thereof.
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops