yatralalala
12 hours ago
Oh wow, just recently started a discussion about this on reddit [0]. Still seems pretty bad idea in all possible scenarios. I don't believe that this "plausible deniability" would be a thing there.
[0] https://www.reddit.com/r/sysadmin/comments/1fn3f25/found_rsa...
ryan-c
12 hours ago
I have been doing a daily rotate/revoke/publish routine with my DKIM keys for years, though I do not use the standard private key format for size reasons.
No problems with it, but critically I revoke the public key a few days before publishing the private key.
blakesterz
12 hours ago
And someone found a good reason for it?
https://www.reddit.com/r/sysadmin/comments/1fn3f25/found_rsa...
"So yes, in that one specific case it's actually a good idea to publish private keys - albeit expired ones."
yatralalala
12 hours ago
Yup, it kinda makes sense, but I agree with other commenters there that plausible deniability is not as strong here.
out-of-ideas
12 hours ago
what KittensInc wrote and quoted is basically the lengthly version of what plausible deniability covers. it is just a matter of time before a leak/hack/exploit happens; so ensuring we have edge cases covered is why those priv keys are published. DKIM uses these priv keys to the sender, not to encrypt the payload of the email to make it secret.