On 09/09/2010 09:57 AM, Mark Martinec wrote:
Mark Delany wrote:
I believe the general thrust is that DKIM keys are ephemeral
so no one should rely on there long-term presence. [...]
With each key there is an associated selector:domain pair,
so with a key rotation comes the change of a selector.
Such a purpose of a selector is clearly documented in the
DKIM rfc.
Rumor has is that some large players (such as Yahoo!) are
disregarding such ephemeral property of a selector and
are trying to associate a reputation scheme based on both
the domain *and* the selector. If such approach catches up,
it would mean the end of a free choice of domains to roll up
new signing keys periodically.
Are my worries warranted? Is there anything than can be
done about it to prevent such practice?
I'm pretty sure that Mark isn't an advocate such a practice, but
let's face reality here: RBL's use IP addresses which are far more
transient yet we somehow cope. And I don't think that one of the worst
problems with RBL's vs. IP addresses (collateral damage when IP addresses
change hands) even applies here.
But if a reputation service isn't prepared for key rollover on selectors,
I'd look for another one because they're incompetent. What else is a DKIM
signer supposed to do if a key compromised? Blast out memory eraser rays?
Mike
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html