ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Key rotation

2010-09-09 13:22:04

This points up an issue with the use of selectors. 

Some signers use selectors to differentiate streams of mail. This plays
in to what you describe Yahoo! as doing for reputation.

We will be using the approach you describe for key rotation. Given that
my goal is to rotate keys quarterly (more for operational considerations
than security) this would be a problem if Yahoo! is really going this
route.

Mike

-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org [mailto:ietf-dkim-
bounces(_at_)mipassoc(_dot_)org] On Behalf Of Mark Martinec
Sent: Thursday, September 09, 2010 12:57 PM
To: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Key rotation

Mark Delany wrote:
I believe the general thrust is that DKIM keys are ephemeral
so no one should rely on there long-term presence. [...]

With each key there is an associated selector:domain pair,
so with a key rotation comes the change of a selector.
Such a purpose of a selector is clearly documented in the
DKIM rfc.

Rumor has is that some large players (such as Yahoo!) are
disregarding such ephemeral property of a selector and
are trying to associate a reputation scheme based on both
the domain *and* the selector. If such approach catches up,
it would mean the end of a free choice of domains to roll up
new signing keys periodically.

Are my worries warranted? Is there anything than can be
done about it to prevent such practice?

  Mark
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html