Steve Atkins wrote:
This discussion, though, all assumes that we're talking about strong
cryptography.
We're not. We're talking about weak authentication, primarily for email
whitelisting. There are so many other trivially exploitable flaws in the
whole DK concept if it were applied to other problem domains
(phishing, say)
that considering it as anything outside the domain of weak authentication
of email originator is going to be unwise.
I don't accept this assumption. Creating a new weak link in the
architecture would be unwise. If you are referring to the fact that DNS
itself could be attacked, you're right, it could be. But there are
standards to deal with that.
Given the CPU overhead of SHA-256 is about 50% higher than SHA-1 it
makes more sense for the senders of most email currently to use SHA-1
than SHA-256. That will continue to be true if SHA-1 is "broken" for some
definition of the word.
According to what I've hard so far, nobody is CPU bound in
implementations, so this may not be an issue.
Even if you wildly disagree with all of the above it all remains quite
true
in the perception of the largest senders of DKIM authenticated email
and you need to bear that in mind.
What I keep in mind is not so much what things look like today, but what
they might look like 2-4 years from now, when Moore's law and many grad
students have had a few more shots at us.
Eliot
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html