The article advocates publishing old DKIM keys in order to provide deniability. You create a new DKIM key, publish the old one. With the old dkim key forging an old email is relatively easy.
Someone takes you to court and submits an old email that you sent as evidence. You can demonstrate that it is possible that anyone could have signed that email using the now-published DKIM key.
It is interesting that you can do this. A question is whether and when you would want to do so. Someone points out that good or bad conspirators might want to this: you send out anti-Putin emails and can deny it. Other ones?
Another point seems to be that DKIM is really designed not to verify emails, but to verify email senders.
<humor>
Understanding this, I wonder if there are other things you can do with email using the same DKIM signing kind of mechanism. Like what about an OSIM signature, that uses a key only issued to email services that are not Google or Hotmail or one of the other big email people. If the message does not come from an OSIM host, then the email is delivered but goes into a o_spam folder?
<end humor/>
Someone takes you to court and submits an old email that you sent as evidence. You can demonstrate that it is possible that anyone could have signed that email using the now-published DKIM key.
It is interesting that you can do this. A question is whether and when you would want to do so. Someone points out that good or bad conspirators might want to this: you send out anti-Putin emails and can deny it. Other ones?
Another point seems to be that DKIM is really designed not to verify emails, but to verify email senders.
<humor> Understanding this, I wonder if there are other things you can do with email using the same DKIM signing kind of mechanism. Like what about an OSIM signature, that uses a key only issued to email services that are not Google or Hotmail or one of the other big email people. If the message does not come from an OSIM host, then the email is delivered but goes into a o_spam folder? <end humor/>