I noticed a blog post critical of Facebook for only using a 512-bit key
in their DKIM signatures:
http://blog.jgc.org/2010/06/facebooks-dkim-rsa-key-should-be.html
His analysis looks correct, except that he doesn't consider the
possibility that they might rotate their keys periodically (although, as
far as I can tell, they haven't yet).
Of course, there's a follow-on blog post that confuses the issue further:
http://techie-buzz.com/tech-news/facebook-insecure-dkim-encryption-mail.html
by suggesting that DKIM does encryption.
I'm in the process of collecting a bunch of DKIM selector data to see
what the distribution of key lengths looks like. But I'm hard pressed
to criticize a domain for using a key that's marginally too short when
there are so many other domains that aren't signing at all.
Any thoughts?
-Jim
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops