Re: [Ietf-dkim] DKIM key rotation best practice
mikespecter@gmail.com Mon, 10 August 2020 23:38 UTC
Return-Path: <mikespecter@gmail.com>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DF523A0DFC for <ietf-dkim@ietfa.amsl.com>; Mon, 10 Aug 2020 16:38:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5AK47i0ahPd8 for <ietf-dkim@ietfa.amsl.com>; Mon, 10 Aug 2020 16:38:46 -0700 (PDT)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED2623A0DEE for <ietf-dkim@ietf.org>; Mon, 10 Aug 2020 16:38:45 -0700 (PDT)
Received: by mail-qt1-x829.google.com with SMTP id d27so8195378qtg.4 for <ietf-dkim@ietf.org>; Mon, 10 Aug 2020 16:38:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=dSqUF5+xwOKEhenVV99FT4m/WYHMk4XykEdiXnD7UaM=; b=aBGU4RzYRvd94Z6njkEWkC+Y73E0lp2O/Mo3uBue3j+gijE8DNE98ePA1lC1PvSm40 mV8MkCUkvZ4fpfaFKniy2pr5ChkfFG6cExl0Hgzgb4OZCPDuzSZgWycKeRb8vJWO1aD2 NIcVlZBsBmYONnNnn+LJUnLPWergpbnxO8oexe7y85ci61C6oKdPnGreeUUp579eB5qb LTr+IvWgaq4lm67JhOlQoIF/8/TuaLvsIdN6wGTFvm+dBBF3zT7ScyZWLZ+owKXQrgB2 qY/lzgFPUbGku5sRc+cHMXF3kE9OfhrwymNopPpwRRB4ZuYDGL41Yapxbr8kP2PVt1Kt ZvfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=dSqUF5+xwOKEhenVV99FT4m/WYHMk4XykEdiXnD7UaM=; b=Po/wgcKYkFz8evLWKcKdinDCqpU50KHRel44KidJUCIOVr3sGU4YgySFk3i36dBV+S 4YWyinxIw69+xxC/Xo/H9C6cxT9s61pX1mrVbjvHo9D9WAjviYRGKHnDI0RVDboiCE7t JN0/hhS2OVbTT8zu+iaGD3CDqVTqug28xQ3vr2F8y5+phLekoGblk6Nl49Er6FQCF665 9AuvUP9yjrP9qPONx1rcZ6/B2QbeslB7csKcdP7yHjDUVD+uqd9NV+vQfybs5PA35rBl Gep/uYQl3MhBwhiykmYHUeXt/9urv0htGWy+p940F6+6gqg9Ch/XE84TIKO813VZ/Aqj F1Cg==
X-Gm-Message-State: AOAM530MKsfL12NsFm/vxqdfypavKb7RKdjS6rwqFtrzRutgU71HQkw2 2S36GhnToQDq1ba2b0vEWkH1Hylf/b1UuA==
X-Google-Smtp-Source: ABdhPJzvolUhWPhoqKIxNZViF9mfMMcXJn9JGo3C6AV237lnfquwbsq43VKE/2C5xmGboIOHGNSAbw==
X-Received: by 2002:ac8:3391:: with SMTP id c17mr29799079qtb.12.1597102724923; Mon, 10 Aug 2020 16:38:44 -0700 (PDT)
Received: from [192.168.1.2] (209-6-231-125.s8315.c3-0.smr-cbr2.sbo-smr.ma.cable.rcncustomer.com. [209.6.231.125]) by smtp.gmail.com with ESMTPSA id d16sm15082940qkk.106.2020.08.10.16.38.44 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 10 Aug 2020 16:38:44 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: mikespecter@gmail.com
Mime-Version: 1.0 (1.0)
Date: Mon, 10 Aug 2020 19:38:43 -0400
Message-Id: <DD761679-1EA4-455E-A244-9FD97F5DF32E@gmail.com>
References: <8f710944-afc5-f722-9229-97950fc39aab@cs.tcd.ie>
Cc: ietf-dkim@ietf.org, Alessandro Vesely <vesely@tana.it>, Brandon Long <blong=40google.com@dmarc.ietf.org>, Dave Crocker <dcrocker@bbiw.net>
In-Reply-To: <8f710944-afc5-f722-9229-97950fc39aab@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: iPhone Mail (17G68)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/A2dw3sQ-SN6D7tWJmovVJOeP7Iw>
Subject: Re: [Ietf-dkim] DKIM key rotation best practice
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 23:38:47 -0000
Short answer: fast key rotation (on the order of 15 minutes if necessary), minimizes the amount of private key material needed to be kept around, and no need for an admin to update the key material in dns. ==Mike > On Aug 10, 2020, at 7:36 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > > Hiya, > >> On 11/08/2020 00:27, mikespecter@gmail.com wrote: >> Funny you all should ask! I coauthored a paper about exactly this earlier this year: >> >> https://eprint.iacr.org/2019/390 > > I recall reading that, and must look at it again > because I don't recall why it was better than just > publishing private keys when one is finished with > 'em (plus a bit). > > S. > >> >> ==Mike >> >>>> On Aug 10, 2020, at 7:06 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: >>> >>> >>> >>>> On 10/08/2020 23:36, Brandon Long wrote: >>>> Isn't publishing the private key the opposite of recovery? >>>> >>>> Ie, it's basically a mechanism for plausible deniability. >>>> >>>> "The key is public, anyone could have made that message." >>> >>> Yep. And for DKIM, it's a mechanism I'd myself like to see >>> well-defined and used. >>> >>> Cheers, >>> S. >>> <0x5AB2FAF17B172BEA.asc> >>> _______________________________________________ >>> Ietf-dkim mailing list >>> Ietf-dkim@ietf.org >>> https://www.ietf.org/mailman/listinfo/ietf-dkim >> >> >> _______________________________________________ >> Ietf-dkim mailing list >> Ietf-dkim@ietf.org >> https://www.ietf.org/mailman/listinfo/ietf-dkim >> > <0x5AB2FAF17B172BEA.asc>
- [Ietf-dkim] DKIM key rotation best practice Shana Bagherian
- Re: [Ietf-dkim] DKIM key rotation best practice Mark Delany
- Re: [Ietf-dkim] DKIM key rotation best practice Dave Crocker
- Re: [Ietf-dkim] DKIM key rotation best practice Mark Delany
- Re: [Ietf-dkim] DKIM key rotation best practice Alessandro Vesely
- Re: [Ietf-dkim] DKIM key rotation best practice Dave Crocker
- Re: [Ietf-dkim] DKIM key rotation best practice Brandon Long
- Re: [Ietf-dkim] DKIM key rotation best practice Stephen Farrell
- Re: [Ietf-dkim] DKIM key rotation best practice mikespecter
- Re: [Ietf-dkim] DKIM key rotation best practice Stephen Farrell
- Re: [Ietf-dkim] DKIM key rotation best practice mikespecter
- Re: [Ietf-dkim] DKIM key rotation best practice mikespecter
- Re: [Ietf-dkim] DKIM key rotation best practice Jon Callas
- Re: [Ietf-dkim] DKIM key rotation best practice Shana Bagherian