Hanno Böck wrote:
Am Mon, 28 Feb 2011 09:44:25 -0500
schrieb Dave CROCKER <dhc(_at_)dcrocker(_dot_)net>:
Just for archive completeness (and to comfort folks like me who lack
crypto clue) could you offer a very brief summary of the difference
between what DKIM currently uses and what is being suggested,
especially in terms of how the newer one is better and why that might
be important?
The difference is merely protection against hypothetical weaknesses in
the padding scheme. Old padding schemes have been made more or less in
a naive way (usually hash-then-sign), while PSS (specified in PKCS #1
2.1) provides provable security properties under certain model
asumptions.
Thanks for the explanation. I've always approached these kinds of problems
for dkim with a test like "if I could exploit a weakness at great expense,
would dkim signatures be on the short list?" The answer is invariably no.
It's similarly why the SHA1 brouhaha wasn't _that_ big a deal, IMO.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html