On October 26, 2022 11:56:31 PM UTC, Steven M Jones <[email protected]> wrote: >On 10/26/22 16:45, Neil Anuskiewicz wrote: >>> On Oct 26, 2022, at 3:48 AM, Douglas Foster >>> <[email protected]> wrote: >>> >>> >>> Murray first raised the issue of weak signatures. >>> ... >>> >>> Weak results need to be part of the aggregate report so that domain owners >>> understand the importance of moving from weak to strong signatures. >>> ... >>> >>> - DAMRC Evaluation does not exit upon finding an aligned and verified weak >>> signature. Instead, the result is noted but the evaluation continues in >>> hopes of finding an aligned and verified strong signature. >> Strong defined as the strength of the encryption algorithm (i.e., key size). > > >And to be clear(er), any language talking about "strength" in terms of key >size has to account for algorithm + key size, or you can get some incorrect >treatment of e.g. elliptical curve signatures.
If we need to define it, I'd say "weak" is anything that doesn't meet the requirements of RFC 8301 (RSA key length < 1024 bits or hash is SHA-1). Any RSA SHA-256 with a large enough key or any ed25519-SHA-256 (RFC 8463) is not weak. No need to spend a lot of effort on this. Scott K Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
