Hot take: DKIM signatures with ed25519 are largely useless🔥🔑

I know what you're thinking. RSA is bad. You read that blogpost with the "f" word. (It's not good.) This isn't about ed25519 vs. RSA, but about how DKIM works

Here's the problem: if you introduce a new crypto algorithm into a protocol, you need to know if the other side" supports it. But in DKIM, you don't. You're sending e-mails to arbitrary receivers. DKIM has no mechanism to tell you if that receiver supports any algorithm.
🧵

I strongly believe there are entire companies right now under heavy AI psychosis and its impossible to have rational conversations about it with them. I can't name any specific people because they include personal friends I deeply respect, but I worry about how this plays out.

I lived through the great MTBF vs MTTR (mean-time-between-failure vs. mean-time-to-recovery) reckoning of infrastructure during the transition to cloud and cloud automation. All those arguments are rearing their ugly heads again but now its... the whole software development industry (maybe the whole world, really).

It's frightening, because the psychosis folks operate under an almost absolute "MTTR is all you need" mentality: "its fine to ship bugs because the agents will fix them so quickly and at a scale humans can't do!" We learned in infrastructure that MTTR is great but you can't yeet resilient systems entirely.

The main issue is I don't even know how to bring this up to people I know personally, because bringing this topic up leads to immediately dismissals like "no no, it has full test coverage" or "bug reports are going down" or something, which just don't paint the whole picture.

We already learned this lesson once in infrastructure: you can automate yourself into a very resilient catastrophe machine. Systems can appear healthy by local metrics while globally becoming incomprehensible. Bug reports can go down while latent risk explodes. Test coverage can rise while semantic understanding falls. Changes happens so fast that nobody notices the underlying architecture decaying.

I worry.

RE: https://c.im/@cdarwin/116479704797697865

Nothing "went rogue". AI didn't delete the firm's database and backups. A human operator built admin automation and ran it in production without adequate testing or backups.

I'm sorry, but no: a human gave admin privileges to unverified tools and ran them in a production environment.

Own your work. You as sysadmin, developer, etc. are paid to perform a job with skill and diligence. Ultimately you are responsible for your professional work. If there was someone upstream responsible for V&V of the tool, ensuring users are trained, cautions and limitations of the tool are communicated, and confirming the tool is fit for its intended use, they bear a share of that responsibility.

If you're the manager that forced worker to use an unreliable tool on production systems without putting it through proper V&V, without effective user training, use case development, or risk assessment, you bear a share of the responsibility.

Repeating this for those in the back: AI does not launder away your job responsibilities.