Once that key is known, it can be impersonated. Regular rotation is a practical mitigation strategy and I like that Sendgrid took it on ahead of the game.
Since they are sending, they can create a new key on the second domain, tell new emails to use it without impacting anything in transit by leaving the old one active until it is changed for rotation.
Yes, if someone steals your private key, you're screwed. Keeping the private key private is, well, a fundamental component of how PKI works.
> Once that key is known ...
You say that like it happens every day. Use long enough keys and you don't have to worry about it.
The general consensus is that (some) 1024-bit keys can be brute-forced -- though the number of attackers capable of this is extremely limited. If your threat model includes the NSA (or anyone, for that matter) cracking your key, the solution is to increase the length of your key.
I agree that rotating your keys is a good idea but it's not like it's something you have to do every day.
brightball|9 years ago
Once that key is known, it can be impersonated. Regular rotation is a practical mitigation strategy and I like that Sendgrid took it on ahead of the game.
Since they are sending, they can create a new key on the second domain, tell new emails to use it without impacting anything in transit by leaving the old one active until it is changed for rotation.
jlgaddis|9 years ago
> Once that key is known ...
You say that like it happens every day. Use long enough keys and you don't have to worry about it.
The general consensus is that (some) 1024-bit keys can be brute-forced -- though the number of attackers capable of this is extremely limited. If your threat model includes the NSA (or anyone, for that matter) cracking your key, the solution is to increase the length of your key.
I agree that rotating your keys is a good idea but it's not like it's something you have to do every day.
CodeWriter23|9 years ago