ietf-dkim
[Top] [All Lists]

[ietf-dkim] ISSUE: Verifiers MUST implement rsa-sha256

2011-04-18 12:09:27
Section 3.3 has the phrase

   Verifiers MUST implement rsa-sha256

Implementers will understand that they can go away with a verifier
that does not implement rsa-sha1.  Their verifier would then return
PERMFAIL for the sha1-signed newsletter in the following informative
note.  I suggest to clarify this as follows:

   INFORMATIVE NOTE: Although sha256 is strongly encouraged, some
   senders of low-security messages (such as routine newsletters) may
   prefer to use sha1 because of reduced CPU requirements to compute
   a sha1 hash.  MTAs whose verifiers don't implement rsa-sha1 will
   treat these messages as if they were not signed.  In general,
   sha256 should always be used whenever possible.

See also http://mipassoc.org/pipermail/ietf-dkim/2011q1/015464.html
(which was written at a time when verifiers were mandated to implement
both sha digests.)  This change is meant to prevent that kind of
misunderstandings.

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>
  • [ietf-dkim] ISSUE: Verifiers MUST implement rsa-sha256, Alessandro Vesely <=