Steve Atkins wrote: > Do we have any thoughts on 1. how often keys might sensibly be > rotated and 2. how long public keys should remain visible after the > private key has been rotated out?
The WG discussed this around 2006. The DKIM-RCVD I-D I wrote summarizes the "timing issues" from the discussions and also offered a way to help resolve this issue: http://tools.ietf.org/html/draft-santos-dkim-rcvd-00 There are three basic timing points: T1 - delivery time T2 - MFA (Mail Filtering Agent) process time T3 - MUA process/read/view time T1 is 7 days based on DKIM recommendations and adequately covers the SMTP recommendations of 4-5 retry days. So at a minimum the key retention time should be 7 days. But there is a T2 gap time when the MFA gets it. This time will mostly likely pretty short. And there is a T3 gap between MFA and by the time the MUA gets it. Who knows what T3 is, but it could be pretty long, i.e. a user goes on vacation or simply reads his mail once per day or whatever. So T3 is help consider possible MUAs with DKIM verification plug-ins. Since T3 can be low to high time significant, the I-D proposed a method whereby the middle ware (DKIM verifier or not) will create/add a DKIM-Received with your public key information. This way by the time it is actually needed by a verifier, it will have the old public key information in DKIM-Received. I also suggested that this DKIM-Received header can be used a migration idea for those systems not yet ready to sign or verify but can get the information and store in the header in case there will be a long time-shifted verification period that exceeds the domains key expiration. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html