How will we handle the ever-changing definition of "weak"? -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast
> -----Original Message----- > From: dmarc <[email protected]> On Behalf Of Scott Kitterman > Sent: Wednesday, October 26, 2022 10:27 PM > To: [email protected] > Subject: Re: [dmarc-ietf] Weak signatures > > > > On October 26, 2022 11:56:31 PM UTC, Steven M Jones <[email protected]> > wrote: > >On 10/26/22 16:45, Neil Anuskiewicz wrote: > >>> On Oct 26, 2022, at 3:48 AM, Douglas Foster > <[email protected]> wrote: > >>> > >>> > >>> Murray first raised the issue of weak signatures. > >>> ... > >>> > >>> Weak results need to be part of the aggregate report so that domain > owners understand the importance of moving from weak to strong signatures. > >>> ... > >>> > >>> - DAMRC Evaluation does not exit upon finding an aligned and verified weak > signature. Instead, the result is noted but the evaluation continues in > hopes of > finding an aligned and verified strong signature. > >> Strong defined as the strength of the encryption algorithm (i.e., key > >> size). > > > > > >And to be clear(er), any language talking about "strength" in terms of key > >size > has to account for algorithm + key size, or you can get some incorrect > treatment > of e.g. elliptical curve signatures. > > If we need to define it, I'd say "weak" is anything that doesn't meet the > requirements of RFC 8301 (RSA key length < 1024 bits or hash is SHA-1). Any > RSA > SHA-256 with a large enough key or any ed25519-SHA-256 (RFC 8463) is not > weak. > > No need to spend a lot of effort on this. > > Scott K > > Scott K > > _______________________________________________ > dmarc mailing list > [email protected] > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/dmarc__;! > !CQl3mcHX2A!BboGMRWEwa30TsEsWdFhy6Kbbj9Mp7QiEC1KaaKRniq7TE4jzqub > PhnYWVDXZtfpjgArGQeryvtvMUTf_9D9DTtODa4$ _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
