[ietf-dkim] The key record upgrade attack
dotis at mail-abuse.org
Fri Aug 4 10:48:40 PDT 2006
On Aug 4, 2006, at 10:17 AM, Paul Hoffman wrote:
> At 10:04 AM -0700 8/4/06, Hallam-Baker, Phillip wrote:
>> Fortunately there is no conflict here.
>> If you consider RSA1024 secure and you find a valid RSA1024
>> signature on the message then you are done.
>> If on the other hand you only find an RSA1024 signature and you
>> have reason to consider RSA1024 less than satisfactory you MAY
>> decide to take a look at the policy record to see if there should
>> also be a signature that offers stronger semantics.
> That's not what Doug said. He said:
>>> During a transition, it would be important to communicate what
>>> will be offered and what has been deprecated. Then these options
>>> MUST be available or the related signatures MUST be ignored.
> I specifically object to the last three words.
Avoiding the bid-down _requires_ those last three words.
More information about the ietf-dkim