On Thu, Feb 16, 2006 at 03:33:20PM +0000, Stephen Farrell allegedly wrote:
Mark,
Now that I've reset the brain a bit:-)
Thanks. My crude explanation probably compounded the problem a bit.
The assumption that all signers and verifiers have the same idea of an
absolute strength-order for hash algorithms is a bit optimistic.
For example, some countries do insist on national algorithms being
supported - see rfc 4357 for example. I don't think I want to get into
a dispute about whether the Gost-hash is better or worse than sha-256
(or whatever) - do you?
Right. I completely understand that there might be different views of
strong and weak and that we (for most of we and certainly me) aren't
experts in this area.
But I'm thinking that DKIM has a simpler task. It merely has to
observe the debate and decisions of the security world and when they
come to conclusions we piggy-back off of that:
If a) The current algorithm is accepted as being at risk
and If b) An agreed-upon stronger algorithm is available
then c) Change the standard to reflect the stronger algorithm
While there remains uncertainly about a) or b) then do nothing.
Mark.
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html