On Feb 24, 2006, at 12:56 PM, Hector Santos wrote:
The reason people are pushing for SHA-256 now is not because there
is a
probable imminent break. It is because we know just how long the
process
of switching algorithms takes.
I agree.
I think that the consenus here is to:
1) Start the SHA-256 transition now, making it a MUST for verifiers,
MUST/SHOULD for signers.
My only take here is that this MUST/SHOULD for signers will always
be tagged
with a basic implementation question of
"well, which one should I use?"
So I think it should be carefully phrase to say:
SIGNERS "SHOULD" use the highest form of security first among the
choices currently available {SHA-1, SHA-256}. Although it is out
of the scope of this specification, an SIGNER "MAY" use a
VERIFIER lookup concept to determine the highest form of
security it offers.
This helps or resolves both issues and addresses the future,
especially the
case if indeed when a method is hacked and DKIM signer wishes to
quickly
migrate to a new method as supported by the validators. In my view,
it is
almost inevitiable, the signer will need to be a lot smarter than the
documentation calls for. i.e. find out more about the host system
it is
about to send a "valuable" mail to.
This discussion, though, all assumes that we're talking about strong
cryptography.
We're not. We're talking about weak authentication, primarily for email
whitelisting. There are so many other trivially exploitable flaws in the
whole DK concept if it were applied to other problem domains
(phishing, say)
that considering it as anything outside the domain of weak
authentication
of email originator is going to be unwise.
Given that, even if an algorithm is compromised it is still of value
if the
cost of faking up a hash drastically exceeds the value of being able to
look signed when you're not. That value is pretty low in any scenario
where the sender and recipient are going to be relying solely on DK.
Given the CPU overhead of SHA-256 is about 50% higher than SHA-1 it
makes more sense for the senders of most email currently to use SHA-1
than SHA-256. That will continue to be true if SHA-1 is "broken" for
some
definition of the word.
Even if you wildly disagree with all of the above it all remains
quite true
in the perception of the largest senders of DKIM authenticated email
and you need to bear that in mind.
Cheers,
Steve
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html