[ietf-dkim] The key record upgrade attack
pbaker at verisign.com
Fri Aug 4 10:04:58 PDT 2006
Fortunately there is no conflict here.
If you consider RSA1024 secure and you find a valid RSA1024 signature on the message then you are done.
If on the other hand you only find an RSA1024 signature and you have reason to consider RSA1024 less than satisfactory you MAY decide to take a look at the policy record to see if there should also be a signature that offers stronger semantics.
This particular constraint has no impact on the deployed base whatsoever since it will be a very long time before even an RSA512 signature would not deliver a sufficient degree of security for the purposes for which it is currently used.
If you consider that approach to be incompatible with base that would imply that the original assertion that we could separate policy and base was wrong and that we cannot go to last call on base until we complete policy. I don't think you would want to disappoint the group by making such a false and erroneous assertion now, would you?
> -----Original Message-----
> From: ietf-dkim-bounces at mipassoc.org
> [mailto:ietf-dkim-bounces at mipassoc.org] On Behalf Of Paul Hoffman
> Sent: Friday, August 04, 2006 12:23 PM
> To: ietf-dkim
> Subject: Re: [ietf-dkim] The key record upgrade attack
> At 8:38 AM -0700 8/4/06, Douglas Otis wrote:
> >During a transition, it would be important to communicate
> what will be
> >offered and what has been deprecated. Then these options MUST be
> >available or the related signatures MUST be ignored.
> The SSP document *cannot* change the way implementers of the
> -base document process signatures. "MUST be ignored" changes
> the logic of -base.
> NOTE WELL: This list operates according to
More information about the ietf-dkim