Re: [Ietf-dkim] DKIM key rotation best practice
Mark Delany <sx6un-fcsr7@qmda.emu.st> Fri, 07 August 2020 00:17 UTC
Return-Path: <sx6un-fcsr7@qmda.emu.st>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 241503A0A78 for <ietf-dkim@ietfa.amsl.com>; Thu, 6 Aug 2020 17:17:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=emu.st
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vo6YivacjGAd for <ietf-dkim@ietfa.amsl.com>; Thu, 6 Aug 2020 17:16:58 -0700 (PDT)
Received: from f3.bushwire.net (f3.bushwire.net [IPv6:2403:5800:9100:aaf0:203:0:120:11]) by ietfa.amsl.com (Postfix) with ESMTP id 00C4D3A0A63 for <ietf-dkim@ietf.org>; Thu, 6 Aug 2020 17:16:57 -0700 (PDT)
Received: by f3.bushwire.net (Postfix, from userid 1001) id 6C0593ACD0; Fri, 7 Aug 2020 10:16:55 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; d=emu.st; s=2019; t=1596759415; bh=1+bt7zscZ6KpaMqBYd1Z7fvSd5E=; h=Comments:Received:Date:Message-ID:From:To:Subject:References: MIME-Version:Content-Type:Content-Disposition:In-Reply-To; b=JPVtnVnxccOBEnq5MnDIsdzEE3w+4Jj3NfOu4kiIYMWGjGdAq3TZv8DcDNK5Cy36I lMP8gopaIdGYB/fw4mDDqrjV9dHxMMmUEdnHCiSXTTdnXdJxOrKN64Wx2vEfwkDnpg fWbYaqzqLOCLkcNuYWschnKxkqzEmVAQfRTiu1BU=iu1BU=
Comments: QMDA 0.3a
Received: (qmail 12158 invoked by uid 1001); 7 Aug 2020 00:16:55 -0000
Date: Fri, 07 Aug 2020 00:16:55 +0000
Message-ID: <20200807001655.12157.qmail@f3-external.bushwire.net>
From: Mark Delany <sx6un-fcsr7@qmda.emu.st>
To: ietf-dkim@ietf.org
References: <BYAPR15MB25670F15F55200ED4145124AEC480@BYAPR15MB2567.namprd15.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <BYAPR15MB25670F15F55200ED4145124AEC480@BYAPR15MB2567.namprd15.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/2Iu2Rhe7vBgMTMMeMqhQulNgVyo>
Subject: Re: [Ietf-dkim] DKIM key rotation best practice
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Aug 2020 00:17:00 -0000
On 06Aug20, Shana Bagherian allegedly wrote: > I was looking over rfc 4871 and emailed Eric who suggested I ask the > question of you all on this DL. So, I was wondering if any of the > RCSs related to DKIM list a best practice, or if some other authority > has given a best practice, regarding how often the keys should be > changed? It seems that best practice is every 6 months, but it would > be nice for an authority to state so. Of course, an acceptable answer > is 'it depends' upon the security needs to the organization, but is if > that is the answer - it depends In the absence of any special risk, it might not be unreasonable to follow the validity limits being imposed by RFC5280 on TLS server certificates - which is what, just over a year? They've done the hard yards in determining this value, so why not leverage that? An alternative might be to use the 90 day life-time set by letsencrypt.org - their argument being that it encourages automation. Can the systems you have under consideration automatically generate their DKIM keys? Having said that, it seems that at least some big-name domains change their keys very infrequently. E.g. gmail use a selector of s=20161025 which they've been using since early 2017 and Yahoo are still using s=2048 which I first saw in mid-2014! One suspects that neither of these establishments have automated DKIM systems so if you have one you'll better off than they are. > is there a minimum time frame for generating new keys? Technically there is no minimum time, but it's hard to see much value in rapid key replacement. Your biggest risk may well be subversion of your generation and distribution mechanism at that point. You'll recall the distinction between signing key life-time and verification key life-time. The latter being how long you advertise a key *after* you've stopped signing with it. Some argue that maximum email transit-lifetime + fudge is sufficient as good reasons for re-verifying long after delivery are hard to find. Mark.
- [Ietf-dkim] DKIM key rotation best practice Shana Bagherian
- Re: [Ietf-dkim] DKIM key rotation best practice Mark Delany
- Re: [Ietf-dkim] DKIM key rotation best practice Dave Crocker
- Re: [Ietf-dkim] DKIM key rotation best practice Mark Delany
- Re: [Ietf-dkim] DKIM key rotation best practice Alessandro Vesely
- Re: [Ietf-dkim] DKIM key rotation best practice Dave Crocker
- Re: [Ietf-dkim] DKIM key rotation best practice Brandon Long
- Re: [Ietf-dkim] DKIM key rotation best practice Stephen Farrell
- Re: [Ietf-dkim] DKIM key rotation best practice mikespecter
- Re: [Ietf-dkim] DKIM key rotation best practice Stephen Farrell
- Re: [Ietf-dkim] DKIM key rotation best practice mikespecter
- Re: [Ietf-dkim] DKIM key rotation best practice mikespecter
- Re: [Ietf-dkim] DKIM key rotation best practice Jon Callas
- Re: [Ietf-dkim] DKIM key rotation best practice Shana Bagherian