[ietf-dkim] RFC 4871: Signature Expiration
sager at agitos.de
Sat Jan 12 01:20:06 PST 2008
John Levine schrieb:
>> If there was an optional expiration date contained in the _domainkey DNS
>> entry besides the public key instead, a mail admin could react in the
>> short-term to e.g. abuse of the according private key without
>> interfering the validation of signatures before this expiration date.
> If I were a bad guy, why wouldn't I simply forge a date in my spam
> before the expiration date?
John, I would agree if the expiration date (x-param) was compared to the
signature timestamp (t-param).
But the RFC says (see x-param):
Signatures MAY be considered
invalid if the verification time at the verifier is past the
expiration date. The verification time should be the time that
the message was first received at the administrative domain of
the verifier if that time is reliably available; otherwise the
current time should be used.
More information about the ietf-dkim