Michael Thomas wrote:
Stephen Farrell wrote:
Section 3.3.3 includes 512 bit rsa as a MUST. I think that that
might be an error. Is there really any need for anything smaller
than 1024 in any case?
Isn't there something of a calculation which equates effort to
break over time? DKIM lifetimes are normally quite short, so
smaller keys are not implausible, especially given the level
of protection DKIM actually provide (weakest link: DNS).
That's a defensible argument. Just to be clear though - there
are two lifetimes in DKIM - signature lifetime, related to
message transit times, and key lifetime, related to some unknown
management cycle, and its the latter (and presumably longer) one
that's in question here. From painful experience, changing keys
is something that some enterprises are really, really bad at.
If we were to continue to allow (let alone MUST) 512, then I
think there'd need to be a serious warning to change those
keys pretty often. I'd rather we did without that if its
possible.
Anecdotally, I have noticed there is a perceivable performance
difference between 512 and 1024. IIRC, 768 seems still imperceptible.
Fair enough. Though h/w acceleration is widely, cheaply available
as used for https, and there's no real difference here (modulo
sha256 support I guess).
Stephen.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html