Dear Scott,
Signatures normally offer options not easily supported by
DKIM. One being use of a binary keys, rather than base64.
Indeed shorter keys were a mistake. What other mistakes
should be corrected? I can name a few.
Regards,
Douglas Otis
On 5/11/15 10:06 AM, Scott Kitterman wrote:
RFC 6376 (which I think is the latest) includes:
3.3.3. Key Sizes
Selecting appropriate key sizes is a trade-off between cost,
performance, and risk. Since short RSA keys more easily succumb to
off-line attacks, Signers MUST use RSA keys of at least 1024 bits for
long-lived keys. Verifiers MUST be able to validate signatures with
keys ranging from 512 bits to 2048 bits, and they MAY be able to
validate signatures with larger keys. Verifier policies may use the
length of the signing key as one metric for determining whether a
signature is acceptable.
Since receivers have no good way of knowing what keys are long-lived, there's
no way on the receiver side to reliably determine if a key shorter than 1024
bits is being appropriately used or not. I think it's time to kill keys
shorter than 1024 bits dead. It's not like the risks associated with them
are
new [1].
I propose a short draft that updates 6376 to say MUST use at least 1024 bits
and setting that as the minimum size verifiers must be able to validate. I'm
volunteering to write it if people agree it's appropriate.
Scott K
[1] http://www.wired.com/2012/10/dkim-vulnerability-widespread/
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html