Re: A mail relay server for Debian Members is live
Hi,
thanks for finally providing this!
> Mails sent via this server will be DKIM-signed if the from is a
> debian.org, debconf.org or ftp-master.debian.org address. If any
> additional domain should be considered, feel free to ask.
I just wanted to make you aware of something interesting I learnt recently:
In DKIM (and probably other signing systems), doing a regular key rollover is a good idea. That is not so new. What was new to me is the idea of publishing the old secret keys when rotating:
https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publish-your-dkim-secret-keys/
tl;dr: DKIM-signed mail is verifiable, but only the headers; the body can be tampered with; it is only designed to provide authenticity in the one second the mail is received; malicious people could steal e-mail archives and abuse modified (or even original) mails against senders, even using them in court maybe; publishing the old keys restores deniability because "everyone could have signed that mail because the keys are public"
Cheers,
Nik
Reply to: