Hi,
Jonathan Clark wrote:
Jonathan Clark wrote:
When moving to a new key for a domain, may the same selector be used,
or is the signer required to use a different selector?
You must use a new selector. Otherwise, depending on cache etc, you
might get indeterminate results.
If this is the case, doesn't it finesse the whole multiple-signature debate?
I don't understand why that'd be the case given that each signature
"points" at its own selector.
[ Also having this discussion with Doug Otis offlist... ]
My thought here was that the primary use of multiple signatures is for
rolling keys (and/or algorithms). You slap a new key under the existing
selector and sign messages with both keys, so preserving signature
validity for old messages. Doug points out that squeezing 2 keys into
one (TXT?) record may be a tight fit :-)
Yes. One key per TXT record would be a reasonable restriction.
Now if you put the new key under a new selector, old messages keep pointing
to the old selector, and new ones now point to the new selector, so there's
no point to having multiple signatures for this usage.
Ah. You mean if you've also deleted the old key record from DNS. Well,
yes, but during a transition where the same entity is signing twice, I
would guess that deleting the old key would be a bit counterproductive
in that case.
Doug points out that there are other reasons for multiple signatures, such
as redistribution (listservs, forwarding), and I suppose he's right.
BTW this changes my view of whether "x=" is valuable - if it really is
one key per selector, then I no longer think that "x=" is valuable.
Feel free to revise your posting under that thread. I'll try base
the sums on people's last opinions. (But I'll probably discount all
postings from anyone who expresses too many opinions. How many is
too many? Not saying:-)
S.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html