On Apr 14, 2006, at 11:04 AM, Dave Crocker wrote:
Bill(_dot_)Oxley(_at_)cox(_dot_)com wrote:
I suspect in the real sysadmin world changing keys every week
probably
isn't going to happen :-)
Given the intended use of DKIM and given the current state of DNS
administrative tools, what do folks think *is* a realistic
expectation (and recommendation) for the lifespan of a key, for a
typical email operation?
In other words, given the pragmatics, how often is reasonable an
appropriate for changing keys?
I expect to see four varieties.
1) Never changes
2) Never changes except when someone realizes they've lost or
leaked the private key.
3) Changed monthly.
4) Cycled on a regular hourly or daily schedule with automatically
generated keys and expiration of DNS records for old keys running
on a custom stunt DNS server.
And I'd expect the vast majority to be the first or the last. Of those,
mostly the first.
Cheers,
Steve
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html