Steve Atkins wrote:
Do we have any thoughts on 1. how often keys might sensibly be
rotated and 2. how long public keys should remain visible after the
private key has been rotated out?
The WG discussed this around 2006. The DKIM-RCVD I-D I wrote
summarizes the "timing issues" from the discussions and also offered a
way to help resolve this issue:
http://tools.ietf.org/html/draft-santos-dkim-rcvd-00
There are three basic timing points:
T1 - delivery time
T2 - MFA (Mail Filtering Agent) process time
T3 - MUA process/read/view time
T1 is 7 days based on DKIM recommendations and adequately covers the
SMTP recommendations of 4-5 retry days. So at a minimum the key
retention time should be 7 days.
But there is a T2 gap time when the MFA gets it. This time will
mostly likely pretty short. And there is a T3 gap between MFA and by
the time the MUA gets it. Who knows what T3 is, but it could be
pretty long, i.e. a user goes on vacation or simply reads his mail
once per day or whatever. So T3 is help consider possible MUAs with
DKIM verification plug-ins.
Since T3 can be low to high time significant, the I-D proposed a
method whereby the middle ware (DKIM verifier or not) will create/add
a DKIM-Received with your public key information. This way by the
time it is actually needed by a verifier, it will have the old public
key information in DKIM-Received.
I also suggested that this DKIM-Received header can be used a
migration idea for those systems not yet ready to sign or verify but
can get the information and store in the header in case there will be
a long time-shifted verification period that exceeds the domains key
expiration.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html