[ietf-dkim] Crypto Algorithm policy/practice
stephen.farrell at cs.tcd.ie
Wed Aug 2 04:05:28 PDT 2006
Michael Thomas wrote:
> I know that we've gotten a barrage in the last few days but is there
> support for
> having policy for what algorithms a domain uses? I assume this is to
> deal with
> bid-down attacks. I know where we stand wrt this with -base, but don't
> whether we were given any guidence wrt -ssp, or whether there was general
> support for this in -ssp.
Doesn't that have an implication of an SSP lookup even for signatures
that are cryptographically correct?
There're also no bidding down attacks, just spoofs here so I think the
logic that says this isn't needed for base also applies to SSP. But I
guess maybe something's different.
So, not sure myself if its useful in SSP, but maybe worth including as
a candidate req. in your -00 anyway.
More information about the ietf-dkim