ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] DKIM Key Size Constraints

2015-05-13 01:08:47
On Mon, 11 May 2015, Scott Kitterman wrote:
I propose a short draft that updates 6376 to say MUST use at least 1024
bits and setting that as the minimum size verifiers must be able to
validate.  I'm volunteering to write it if people agree it's appropriate.

I don't see a benefit.  Entities that simply do not use DKIM at all are
a bigger problem than those that publish weak keys.  And the fact that
weak keys are presently legal does not provide a way to impersonate a
sender who only publishes strong keys.

The only point in specifying a limit at all is that it may allow shortcuts
in implementation.  I know the crypto library embedded in Exim fails
(safely, but with an unhelpful error) if asked to sign a message with a
key that is too weak.  Since keys that weak are formally banned, it's not
really a bug.

(I noticed when attempting to re-use a YDK key I had already published.
The format of the key in DNS is backwards compatible but YDK's recommended
size was smaller than DKIM's minimum size.)

And it's all irrelevant anyway in my view.  There is currently only one
accessory protocol for DKIM, and that protocol (DMARC) is even more
useless than SPF in identifying mail to outright reject in-transaction.
And that is the only mission I care about.

---- Michael Deutschmann <michael(_at_)talosis(_dot_)ca>
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>