Re: [Ietf-dkim] DKIM key rotation best practice

Dave Crocker <dhc@dcrocker.net> Sat, 08 August 2020 15:06 UTC

Return-Path: <dhc@dcrocker.net>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45CD03A0AB7 for <ietf-dkim@ietfa.amsl.com>; Sat, 8 Aug 2020 08:06:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.849
X-Spam-Level:
X-Spam-Status: No, score=-2.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.949, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KwH32gegOxZy for <ietf-dkim@ietfa.amsl.com>; Sat, 8 Aug 2020 08:06:01 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC21C3A0AC1 for <ietf-dkim@ietf.org>; Sat, 8 Aug 2020 08:06:01 -0700 (PDT)
Received: from [192.168.43.69] ([172.58.75.123]) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1.1) with ESMTP id 078F8fZf028274 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 8 Aug 2020 08:08:42 -0700
Reply-To: dcrocker@bbiw.net
To: Alessandro Vesely <vesely@tana.it>
References: <BYAPR15MB25670F15F55200ED4145124AEC480@BYAPR15MB2567.namprd15.prod.outlook.com> <59c0fd6f-1406-9981-a78f-1c08d774c76a@dcrocker.net> <20200807035323.13761.qmail@f3-external.bushwire.net> <03a35673-a92c-6677-8e29-cb5c57c49320@tana.it>
Cc: ietf-dkim@ietf.org
From: Dave Crocker <dhc@dcrocker.net>
Organization: Brandenburg InternetWorking
Message-ID: <d9973017-ba05-18dc-a5db-5f5e8e0cd054@dcrocker.net>
Date: Sat, 08 Aug 2020 08:05:52 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <03a35673-a92c-6677-8e29-cb5c57c49320@tana.it>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/PUA37szRFs8aRzuIqA426-y2vkU>
Subject: Re: [Ietf-dkim] DKIM key rotation best practice
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Aug 2020 15:06:04 -0000

On 8/7/2020 2:11 AM, Alessandro Vesely wrote:
> That paper doesn't mention publishing the private key some time after
> public key revocation.  Someone suggested to do so to avoid the
> Clinton effect.


dkim is meant for use with data in transit, not data at rest.  long-term 
recovery mechanisms aren't needed for it.

d/

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net