ietf-dkim
[Top] [All Lists]

[ietf-dkim] DKIM Key Size Constraints

2015-05-11 12:46:46
RFC 6376 (which I think is the latest) includes:

3.3.3.  Key Sizes

   Selecting appropriate key sizes is a trade-off between cost,
   performance, and risk.  Since short RSA keys more easily succumb to
   off-line attacks, Signers MUST use RSA keys of at least 1024 bits for
   long-lived keys.  Verifiers MUST be able to validate signatures with
   keys ranging from 512 bits to 2048 bits, and they MAY be able to
   validate signatures with larger keys.  Verifier policies may use the
   length of the signing key as one metric for determining whether a
   signature is acceptable.

Since receivers have no good way of knowing what keys are long-lived, there's 
no way on the receiver side to reliably determine if a key shorter than 1024 
bits is being appropriately used or not.  I think it's time to kill keys 
shorter than 1024 bits dead.  It's not like the risks associated with them are 
new [1].

I propose a short draft that updates 6376 to say MUST use at least 1024 bits 
and setting that as the minimum size verifiers must be able to validate.  I'm 
volunteering to write it if people agree it's appropriate.

Scott K


[1] http://www.wired.com/2012/10/dkim-vulnerability-widespread/
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html