Paul Hoffman wrote:
At 3:16 PM +0000 3/16/06, Stephen Farrell wrote:
Just to be clear though - there
are two lifetimes in DKIM - signature lifetime, related to
message transit times, and key lifetime, related to some unknown
management cycle, and its the latter (and presumably longer) one
that's in question here.
Correct. On the other hand, there is lots of text in the spec indicating
that changing keys is likely to happen often for many different reasons.
I'm afraid that Stephen's observation is more likely to be
closer to reality, even if the spec is more optimistic about
it.
If we were to continue to allow (let alone MUST) 512, then I
think there'd need to be a serious warning to change those
keys pretty often.
Only if those keys were considered to be valuable by an attacker so that
it is worth spending thousands of MIPS-years to factor the public key.
Which leads us back to the original question, I guess. I'm fairly
certain that nobody's going to spend any MIPS-years to factor
mtcc.com's public key. They might consider it for something more
tempting like, oh say, Bigbank.com. Or they might try pharming
instead which is probably an easier tactic.
Ultimately this is far more likely to be a question of what passes
IESG muster though. I don't sense that there's much consensus that
it would be a good fight to pick with them.
How about:
Signers SHOULD NOT use keys less that 1024 bits, receivers MUST
accept keys less that 1024 but MAY consider weaker keys as more
suspicious.
(where "suspicious" has been used before in the draft to mean something
along the lines of heightened scrutiny, etc).
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html