If Google did rotate the keys, it's quite likely some enterprising people would ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

advisedwang on Nov 16, 2020 | parent | context | favorite | on: Ok Google: please publish your DKIM secret keys

If Google did rotate the keys, it's quite likely some enterprising people would log observed keys. With access to a log of keys (that you don't believe has been tampered with) then rotating keys doesn't prevent non-repudation.

An alternative would be for email servers to strip the DKIM headers on inbound emails after recording that the email was validated. The email stored at rest then no longer provides non-repudation. Nothing is stopping you doing this today.

arkadiyt on Nov 16, 2020 | [–]

> rotating keys doesn't prevent non-repudation

That's why he says Google also needs to publish the private keys.

kennywinker on Nov 16, 2020 | [–]

I'm not a fan of offloading that trust onto my email host. Not that I validate dkim headers, but the fact that I have access to them keeps my email host honest.

Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact