Jonathan Clark wrote:
When moving to a new key for a domain, may the same selector be used,
or is the signer required to use a different selector?
You must use a new selector. Otherwise, depending on cache etc, you
might get indeterminate results.
If this is the case, doesn't it finesse the whole multiple-signature debate?
I don't understand why that'd be the case given that each signature
"points" at its own selector.
[ Also having this discussion with Doug Otis offlist... ]
My thought here was that the primary use of multiple signatures is for
rolling keys (and/or algorithms). You slap a new key under the existing
selector and sign messages with both keys, so preserving signature
validity for old messages. Doug points out that squeezing 2 keys into
one (TXT?) record may be a tight fit :-)
Now if you put the new key under a new selector, old messages keep pointing
to the old selector, and new ones now point to the new selector, so there's
no point to having multiple signatures for this usage.
Doug points out that there are other reasons for multiple signatures, such
as redistribution (listservs, forwarding), and I suppose he's right.
BTW this changes my view of whether "x=" is valuable - if it really is
one key per selector, then I no longer think that "x=" is valuable.
Jonathan
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html