[ietf-dkim] New Issue: 512 too short?
Stephen Farrell
stephen.farrell at cs.tcd.ie
Thu Mar 16 07:16:29 PST 2006
Michael Thomas wrote:
> Stephen Farrell wrote:
>>
>> Section 3.3.3 includes 512 bit rsa as a MUST. I think that that
>> might be an error. Is there really any need for anything smaller
>> than 1024 in any case?
>
> Isn't there something of a calculation which equates effort to
> break over time? DKIM lifetimes are normally quite short, so
> smaller keys are not implausible, especially given the level
> of protection DKIM actually provide (weakest link: DNS).
That's a defensible argument. Just to be clear though - there
are two lifetimes in DKIM - signature lifetime, related to
message transit times, and key lifetime, related to some unknown
management cycle, and its the latter (and presumably longer) one
that's in question here. From painful experience, changing keys
is something that some enterprises are really, really bad at.
If we were to continue to allow (let alone MUST) 512, then I
think there'd need to be a serious warning to change those
keys pretty often. I'd rather we did without that if its
possible.
> Anecdotally, I have noticed there is a perceivable performance
> difference between 512 and 1024. IIRC, 768 seems still imperceptible.
Fair enough. Though h/w acceleration is widely, cheaply available
as used for https, and there's no real difference here (modulo
sha256 support I guess).
Stephen.
More information about the ietf-dkim
mailing list