Apropos of nothing, I really wish Gmail would start publishing its expired DKIM secret keys.
Conversation
This Tweet was deleted by the Tweet author. Learn more
So are we saying that we would like the authenticity of OLD email to be completely disavowed?
This would then seem to provide the same protection to historical senders as per OTR Messaging, is that an advantage?
1
2
There’s no reason for anyone to be able to say “yes this three year old message was definitely signed by Google”.
2
1
3
DMARC is an anti-spoofing mechanism based on DKIM and can be used in a strict way. It prevents sending emails fraudulently claiming to be from an origin that has a strict DMARC policy. It's verified by mail servers when receiving mail to stop spoofing, so still not long-term.
1
2
So you're 100% right that it's short-term and not meant to be verifiable long-term, but it's not just anti-spam due to DMARC.
They could much more frequently rotate keys and publish the old ones without breaking what it's meant to achieve. Rotating fast isn't really possible.
Mail servers are supposed to keep retrying sending mail over and over for an unspecific amount of time. They'll actually try for *days* or more so there's a practical limit on how quickly keys can be rotated + need to have a fair bit of overlap between the old keys and new ones.
2
Gmail had the same public key from 2012 to 2016 and still hasn’t published their secret key for that time period. I see no reason why that’s a good thing.
For all we know, it’s been stolen since then and the *only* people who can forge messages credibly are state actors.
1
2
The AP even publishes a tool for verifying signatures to authenticate stolen emails.
1
1
Show replies