On Feb 24, 2006, at 11:52 AM, Hallam-Baker, Phillip wrote:
We do know that we will have to do a second change at some point
when SHA-3 is approved. That is a long time off. When it comes we
are likely to be looking at moving away from using RSA at the same
time for the same reasons that NIST deprecates RSA beyond 2048 bits.
I think that the consenus here is to:
1) Start the SHA-256 transition now, making it a MUST for
verifiers, MUST/SHOULD for signers.
Agreed. Hash is not where most of the time is spent, and DKIM should
be able to afford this algorithm. Whatever the security group
decides will likely be a good choice, but this reliance may cause a
modification prior to final acceptance of the DKIM draft.
2) Ensure that we are confident that the protocol design will allow
an algorithm transition in 2010 or so.
The only point of contention appears to be over whether we need to
consider support for large key blobs. I say no because I think it
most likely we would move to ECC rather than 4096 bit RSA. Doug
argues that we should change the protocol completely in case we
might want to use very large keys.
The comment was in regard to extensibility. Adopting a different
service other than DNS may be to increase trust, for example.
I would hope that at the point where we are looking at the
algorithm transition we would also be looking at experience from
deploying DNSSEC. Given how closely DKIM and DNSSEC are bound I
think we can punt the large key issue to that whole discussion.
Agreed.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html