Who said anything about it being a legal defense. In discovery you’d have to give over your local copies anyway, so it’s very clearly not.
> On Jul 10, 2020, at 21:16, John Levine via mailop <mailop@mailop.org> wrote: > > In article <48a3bfbe-5109-ebbb-3631-1bb604cd1...@bluematt.me> you write: >>> TL;DR: The customer is always right, and the customer sees DKIM being >>> used regularly to authenticate leaked >> emails - if >>> old not-in-use keys are public, anyone can sign anything they want, and >>> suddenly you can't authenticate mail >> with them, >>> at least after-delivery, that is. > > I'm trying to think of a situation in which I would want someone as a > customer who finds it a problem that people can tell what mail they > sent, but whatever. > > The highly technical answer to your question is that most mail is > delivered in a day, so if they rotate keys daily and retract them a > day after last using them, their sigatures will generally validate. > RFC 8463 added ECC signatures to DKIM in 2018 but as far as I know, > only the python DKIM library implements them so they're not yet ready > for prime time. They can do the key burning hack if they want, but > merely unpublishing them should be about as effective, since there > aren't a lot of archives of former DNS records. I doubt anyone has > copies of my key records from last year or even last month. > > The more realistic answer is that burning the keys is not a get out of > jail free card. Many, probably most, mail systems add an > Authentication-Results header when a message is received, which says > which DKIM signatures were valid. Imagine this ends up in court, and > party A says "our system checked the signature when the mail arrived, > and this shows that it was valid" and party B says "oh but you can't > check it now because we publish our keys on this web site so any > spammer can impersonate us", what is any sensible judge going to do? > > R's, > John _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop