[Ietf-dkim] DKIM key rotation best practice
Shana Bagherian <Shana.Bagherian@tridengroup.com> Thu, 06 August 2020 22:42 UTC
Return-Path: <Shana.Bagherian@tridengroup.com>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7D5A3A0A62 for <ietf-dkim@ietfa.amsl.com>; Thu, 6 Aug 2020 15:42:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tridengroupus.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id goDQtPUUARyS for <ietf-dkim@ietfa.amsl.com>; Thu, 6 Aug 2020 15:42:11 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-eopbgr770057.outbound.protection.outlook.com [40.107.77.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C0CA3A0A66 for <ietf-dkim@ietf.org>; Thu, 6 Aug 2020 15:42:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=S2JTTtSevR2xK1+SAbcLPHfbSVvrxOypsZHtEktIImaAxn+J206ea2NYTGYwgUqnAWepukGR52J5dlHqoFXjrd77mcv952hkIkcgITKkJel5NBH7Zk4R6CbnSkC7YNTjzknaKAevJGBUJwzsIqBgc7Qwdzv8rFwoV3XzO2HwYrtwIfeR3EQSlw0Hqvp+cTvgMViSaZOrfPNB0DJkjr1d9lZhbLme4ZFco/A2DHjwI1DVtbNse3x6lSTHM8ESFUidvWFm2gmrQfZzBPK3zNAmaKUGl8uRqHXaDQvWhGc4qWMJ99RVOu1ZTrSq5szoraarpsIIovut9+4C3wt9qLzNrA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4x3G74zWlUJwKb9yD3fTSDtNoVY6j5nUCKTDH3Gkn28=; b=gi3FaCloC/zl3xO1/Kt6NTOj8cwgYWRupIlm6PTnkBsFKjdwzJRvjgc8ibbuMu47ogr7VOUc/i5se2+vRtBgETQZIzTDEsHBqSkJCLpi97apC60Gw0tji7m1+e61fMv+9TYvcKtfBsSJ4eiozT9FHwfsabH8Y5VcJKsRfpb5DEu+SnVv/VzkXTz2m69eVrPhJqRcdiUdgUsC7SE4ciLz3zQVlvBatFRVH5jeBu/Zq4HhlLk56x4tTv6zwuP9Apb6STZl+ac6ep+Dk1ypSyUvOjUwTG0yiCL0+qR1zkVams6pdqvVCmGQC6PEHqN61V2ArUDkW3S5kCamgzxYmlKzew==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 104.209.35.28) smtp.rcpttodomain=ietf.org smtp.mailfrom=tridengroup.com; dmarc=bestguesspass action=none header.from=tridengroup.com; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tridengroupUS.onmicrosoft.com; s=selector2-tridengroupUS-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4x3G74zWlUJwKb9yD3fTSDtNoVY6j5nUCKTDH3Gkn28=; b=h4NpSsIk0gzJPkYymtoHuyZx2rp2DHZ1IeqXcqi1jHPCUIMvYs7b9u0hzJWqY4LQK3tlqVfZNhkAs7OLsU4blYg/TkX4RcWrlc6eqOmkDVxeW2AbEpfs0LztkM5CUaZ0DU14XW/CDfeU71p8tOVYMpJDIfmFz0U49cy/v8/yWP8=
Received: from MWHPR2201CA0051.namprd22.prod.outlook.com (2603:10b6:301:16::25) by MWHPR15MB1551.namprd15.prod.outlook.com (2603:10b6:300:b1::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.19; Thu, 6 Aug 2020 22:42:03 +0000
Received: from MW2NAM12FT034.eop-nam12.prod.protection.outlook.com (2603:10b6:301:16:cafe::c7) by MWHPR2201CA0051.outlook.office365.com (2603:10b6:301:16::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.18 via Frontend Transport; Thu, 6 Aug 2020 22:42:03 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 104.209.35.28) smtp.mailfrom=tridengroup.com; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=tridengroup.com;
Received-SPF: Pass (protection.outlook.com: domain of tridengroup.com designates 104.209.35.28 as permitted sender) receiver=protection.outlook.com; client-ip=104.209.35.28; helo=us2.smtp.exclaimer.net;
Received: from us2.smtp.exclaimer.net (104.209.35.28) by MW2NAM12FT034.mail.protection.outlook.com (10.13.180.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3261.10 via Frontend Transport; Thu, 6 Aug 2020 22:42:02 +0000
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.175) by us2.smtp.exclaimer.net (104.209.35.28) with Exclaimer Signature Manager ESMTP Proxy us2.smtp.exclaimer.net (tlsversion=TLS12, tlscipher=TLS_ECDHE_WITH_AES256_SHA384); Thu, 6 Aug 2020 22:42:03 +0000
X-ExclaimerHostedSignatures-MessageProcessed: true
X-ExclaimerProxyLatency: 11050384
X-ExclaimerImprintLatency: 2534592
X-ExclaimerImprintAction: a9d961f195e445299adf5fd3549232b5
Content-Type: multipart/related; boundary="----_=_NextPart_ce07c0e7-922b-4375-baa8-ba03f19cd626"
Received: from BYAPR15MB2567.namprd15.prod.outlook.com (2603:10b6:a03:151::13) by BYAPR15MB2725.namprd15.prod.outlook.com (2603:10b6:a03:158::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.19; Thu, 6 Aug 2020 22:42:00 +0000
Received: from BYAPR15MB2567.namprd15.prod.outlook.com ([fe80::d866:535a:2cc2:92e8]) by BYAPR15MB2567.namprd15.prod.outlook.com ([fe80::d866:535a:2cc2:92e8%6]) with mapi id 15.20.3261.019; Thu, 6 Aug 2020 22:42:00 +0000
From: Shana Bagherian <Shana.Bagherian@tridengroup.com>
To: "'ietf-dkim@ietf.org'" <ietf-dkim@ietf.org>
Thread-Topic: DKIM key rotation best practice
Thread-Index: AdZsQsxcNhBECr3sSZqFTFDbz29p3g==
Date: Thu, 06 Aug 2020 22:42:00 +0000
Message-ID: <BYAPR15MB25670F15F55200ED4145124AEC480@BYAPR15MB2567.namprd15.prod.outlook.com>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=tridengroup.com;
x-originating-ip: [2600:8801:d900:bf00:b459:e438:72c4:d7be]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 821ecaf1-7cbc-4664-5f8a-08d83a59f078
x-ms-traffictypediagnostic: BYAPR15MB2725:|MWHPR15MB1551:
X-Microsoft-Antispam-PRVS: <MWHPR15MB15512CCFA9A25A06ECE92E6DEC480@MWHPR15MB1551.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: Bw6auAMtnHrF9TRNMgQCJA7d/E4AzdhmdrIiiEDzgdWamWisVQDltTfrxWmilgqzTTTDmexkacrgq6e+X+GUnY0KABhtfrVdRxW35V2b9t844EmCbCbBCVA3bi9681C7V9ZiiPvSHST/JYhUZ1HVTcg4KH2IbO6sEQXCOprMK55UyBNRd2HGcIVHPw6suKtjeO8BB43gpwswUk3ZCvblyEuHTe+W/IfUjuWLeyakML0LoepJN+/I0U+7rjUuk4viXIRneuzLoIFA9v8IKNBYtvHVGL3CNS5WclpDUx3KQeyZz8DbTLYsU/4b2mLo+6zG+JVY3yvDr61L1zp8mhIghSkIMn7yq6U8v+OV5neqeqGxMvvCIrzmvfWPYtO9yWWA
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR15MB2567.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(396003)(136003)(346002)(376002)(39840400004)(366004)(5660300002)(52536014)(66556008)(66476007)(33656002)(86362001)(71200400001)(186003)(6506007)(66946007)(64756008)(76116006)(66446008)(83380400001)(7696005)(55016002)(8676002)(6916009)(9686003)(508600001)(316002)(2906002)(4744005)(8936002)(491001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: vehe+7x6iL+o8mSHJ+AIsS/4r4yV+E4sfgHmE7MZXqzbSmSrwn53mT7ciKQR37OIKsg4mciUd4bWRuL74ibDPmqni8+ImKkJJSgFd0sDX6V3IcX+LqoGtMCrya6Z8xmcOZRBP78DjcLOeZsmGb/RAPpJfJZAz/xD51lZNr9Iv7gGGRLVnjbgjoFaqRdtdG140yFuku6hpYY4q7fevVuRqpXYmIqut3AL8XsTFBXGv24BDRoTRTZf7td2V9EVevkSG7fmg2OFPl12LD6p1JZA8VGj3ohOxcFV269of6lGYO9AgJh5kgiPbyf+cCpIxhYj0ABAZC5Ry9XCsB1z4RB1GPAq/I9XUfIJgfYXd+DCONB+45yjd36LDIhy+WYGhjXeQEadpTZhqOp/q9KgetQXqdhkGLmIKAlIaZ2eAWLL3LL/S5Rfzp9Trz0TdqeJCA11HSjViPfhjJmC6hn5uoxlmUvRDESy7+uX1sG2ZZFvBCfjHQK2f3H148MRiBZnKBukw1NYLpBAVesA9rV7/9pf+ZaLNKG8Q4Kqmj6thP/vzBfFjp1mBmSecEgn6ZOGcYH65XcbWVoSVgeQxMHLV//jBwHOsDB6+hAL4nWyITrTdQyn0TKSnBhp/id/0j4U3hfahz5P7NKgtcVr9sZrXydBXAlGISu7rL6GNWjxMwZsG3AadwR1y/ki3ndYXFUsUcVXf6KhjQ5sSKFV7/pPv7yhLg==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR15MB2725
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: MW2NAM12FT034.eop-nam12.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 25ac234b-512a-48b5-73e1-08d83a59eed3
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ea61kuT8FX+r3DHBNKwp/aZKVH3XLNw53yuiXazeKusHVUDCUgNPm7ng1QPQbqbM7bkTeuS7P2FJOiT8gXg3+3CwxDvSVa1Va6zI0NCdDUbkFDv0QiFMvFZJUM368NbqujCQU1xtVSyYbx/fRPHldKsOT3FvRy0ReLoexFA8ASFByHEvNQm1+qescPlbdcYd4BRn79O/Fzhfm4Gne/zgSBOD5XiQsg7m4q2vTQ4VVlcrvI+JyMUZ6JufMPEFJXQ1NM9tE9DIfIDG4Q/8Yayypu7ZpCXpeyko5hX89UhsOimlan3chMVYTXNfI5l1JZgVldxXQChkUz5LMLOnKLCzjH6SuWMAeA8Yu7eRUnReaVJ4zl2I4xLayAdw1Dq7B2jTjpSJlImnobzCZPGSnKxHq8ga1rXg5L4zox0+Xvrn9IBj7bJd2EFzzUQGVyU03lR80fKrRloE7Fewn6Fmpi5GFkeH6HfOumMQnRpI4kQAd+uQY9jrljPgCvIy3jAwhw/n
X-Forefront-Antispam-Report: CIP:104.209.35.28; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:us2.smtp.exclaimer.net; PTR:us2.smtp.exclaimer.net; CAT:NONE; SFTY:; SFS:(396003)(39840400004)(376002)(346002)(136003)(46966005)(86362001)(66576008)(8936002)(70206006)(336012)(70586007)(8676002)(508600001)(26005)(83380400001)(55016002)(2906002)(316002)(186003)(47076004)(82310400002)(33656002)(7596003)(15974865002)(9686003)(5660300002)(166002)(6506007)(7696005)(356005)(52536014)(6916009)(7636003)(33964004)(491001); DIR:OUT; SFP:1101;
X-OriginatorOrg: tridengroup.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Aug 2020 22:42:02.9988 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 821ecaf1-7cbc-4664-5f8a-08d83a59f078
X-MS-Exchange-CrossTenant-Id: a2a0e423-50d0-46cd-ab56-fc32aeeda3d4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=a2a0e423-50d0-46cd-ab56-fc32aeeda3d4; Ip=[104.209.35.28]; Helo=[us2.smtp.exclaimer.net]
X-MS-Exchange-CrossTenant-AuthSource: MW2NAM12FT034.eop-nam12.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1551
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/ciIxye6cH1e2lmMjYBC7Cee_pc8>
X-Mailman-Approved-At: Thu, 06 Aug 2020 16:03:39 -0700
Subject: [Ietf-dkim] DKIM key rotation best practice
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2020 22:43:36 -0000
I was looking over rfc 4871 and emailed Eric who suggested I ask the question of you all on this DL. So, I was wondering if any of the RCSs related to DKIM list a best practice, or if some other authority has given a best practice, regarding how often the keys should be changed? It seems that best practice is every 6 months, but it would be nice for an authority to state so. Of course, an acceptable answer is 'it depends' upon the security needs to the organization, but is if that is the answer - it depends - is there a minimum time frame for generating new keys? Shana Bagherian CISSP, MBA, MCSE Senior Infrastructure/Security Architect, Triden Group "Where Security Protects Innovation" 9823 Pacific Heights Blvd Suite H, San Diego, CA 92121 Shana.Bagherian@tridengroup.com www.tridengroup.com Note: This e-mail message including any attachments of any type are covered by the Electronic Communications Privacy Act, is confidential and may include legally protected information. if you are not the intended recipient or you have received this e-mail message by mistake, please notify the sender you have received this e-mail by mistake and delete all information contained in and attached to this email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. v20190718
- [Ietf-dkim] DKIM key rotation best practice Shana Bagherian
- Re: [Ietf-dkim] DKIM key rotation best practice Mark Delany
- Re: [Ietf-dkim] DKIM key rotation best practice Dave Crocker
- Re: [Ietf-dkim] DKIM key rotation best practice Mark Delany
- Re: [Ietf-dkim] DKIM key rotation best practice Alessandro Vesely
- Re: [Ietf-dkim] DKIM key rotation best practice Dave Crocker
- Re: [Ietf-dkim] DKIM key rotation best practice Brandon Long
- Re: [Ietf-dkim] DKIM key rotation best practice Stephen Farrell
- Re: [Ietf-dkim] DKIM key rotation best practice mikespecter
- Re: [Ietf-dkim] DKIM key rotation best practice Stephen Farrell
- Re: [Ietf-dkim] DKIM key rotation best practice mikespecter
- Re: [Ietf-dkim] DKIM key rotation best practice mikespecter
- Re: [Ietf-dkim] DKIM key rotation best practice Jon Callas
- Re: [Ietf-dkim] DKIM key rotation best practice Shana Bagherian