[ietf-dkim] agenda item on upgrading hash algorithms?

[Douglas Otis]

On Feb 24, 2006, at 11:52 AM, Hallam-Baker, Phillip wrote:

>
> We do know that we will have to do a second change at some point  
> when SHA-3 is approved. That is a long time off. When it comes we  
> are likely to be looking at moving away from using RSA at the same  
> time for the same reasons that NIST deprecates RSA beyond 2048 bits.
>
> I think that the consenus here is to:
>
> 1) Start the SHA-256 transition now, making it a MUST for  
> verifiers, MUST/SHOULD for signers.

Agreed.  Hash is not where most of the time is spent, and DKIM should  
be able to afford this algorithm.  Whatever the security group  
decides will likely be a good choice, but this reliance may cause a  
modification prior to final acceptance of the DKIM draft.


> 2) Ensure that we are confident that the protocol design will allow  
> an algorithm transition in 2010 or so.
>
> The only point of contention appears to be over whether we need to  
> consider support for large key blobs. I say no because I think it  
> most likely we would move to ECC rather than 4096 bit RSA. Doug  
> argues that we should change the protocol completely in case we  
> might want to use very large keys.

The comment was in regard to extensibility.  Adopting a different  
service other than DNS may be to increase trust, for example.


> I would hope that at the point where we are looking at the  
> algorithm transition we would also be looking at experience from  
> deploying DNSSEC. Given how closely DKIM and DNSSEC are bound I  
> think we can punt the large key issue to that whole discussion.

Agreed.

-Doug