Am 21.12.2023 um 12:44 schrieb Slavko via mailop <mailop@mailop.org>:
Dňa 20. 12. o 22:38 Gellner, Oliver via mailop napísal(a): I’m not 100% sure what you mean by „signed forever“, but to change the topic of this thread once more (and still stay on topic for this mailing list): While the DKIM signature of an email will of course exist forever, it can lose its meaning if you regularly switch DKIM keys and publish the old secret keys. That way DKIM still allows for plausible deniability, so this is not really an argument against it. Plausible deniability is good for cryptographers and lawyers only. For rest of world it is hard to find/realize, that private key was published (someone must complain). And even when one will publish old keys, the signature becomes deniable only after publishing it. If one can prove that message and public key was fetched before private key was published... The one solution can be to publish private keys before start of using them, but that will negate whole DKIM purpose. Non-repudiation usually plays a role in court cases, investigation procedures and similar situations. They take place weeks, months or years after something happened - enough time to rotate the DKIM keys even multiple times. I don’t see how a proof that the key or message was originally downloaded before the private key was published could look like. For example look at https://github.com/robertdavidgraham/hunter-dkim If Google would have published their DKIM private key after it was rotated in 2016, checking the DKIM signature in 2020 would have proven nothing. The worst part is, that this signature is often added without user's knowledge/acceptance, thus it is hard to complain if one don't know/is not aware of DKIM... Yes, I agree. Because the users have no control over the DKIM signature and often don’t even know it exists, it would be especially important for large ESPs to publish their old keys. Unfortunately I‘m not aware of any doing it. Maybe they are caught in the concept that private keys and passwords must be kept secret at all costs all the time, even after they are expired or have been replaced. — BR Oliver ________________________________ dmTECH GmbH Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe Telefon 0721 5592-2500 Telefax 0721 5592-2777 dmt...@dm.de<mailto:dmt...@dm.de> * www.dmTECH.de<http://www.dmtech.de> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927 Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher ________________________________ Datenschutzrechtliche Informationen Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie die Kontaktdaten unserer Datenschutzbeauftragten finden Sie hier<https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832>.
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
