On Fri 28/Oct/2022 07:37:54 +0200 Murray S. Kucherawy wrote:
On Thu, Oct 27, 2022 at 7:45 AM Dotzero <[email protected]> wrote:
This is why I don't believe "weak" should be included in any normative
manner. I'm not sure that it should be defined for reporting. I think a
better approach is some verbiage about weak signatures as a problem.
Perhaps for reporting something like "Local Policy: weak signature" but
leave it up to the validator to deal with the weak signature decision
outside of DMARC. It's really a DKIM issue.
I think this is the simpler solution.
Think of it as layers. DKIM is a layer below DMARC. The DKIM standard
only stipulates a few possible results from looking at a signature: it
validates (and the name of the validated domain is included), it doesn't
validate, or there was an error. As that's the extent of the output,
that's the extent of what DMARC knows, and we shouldn't presume to be able
to include anything further in a report.
I beg to disagree. DMARC reporting is all about acceptance of a site's
cryptographic settings by remote receivers. Domain owners configure their MTAs
trying to follow the prevailing trend. Doing so without feedback can cause
detachment from reality.
RFC8601 provides for a result of dkim=policy, exemplified by a non-signed
Subject: field which makes a signature too weak in the eyes of the receiver. I
imagine the same mechanism can be used for insufficient key size or deprecated
SHA-1. Banning such result from being reported looks like unjustified censorship.
Rather, it would make reports more interesting to add some information about
what Doug calls the deprecated zone, where my signature is accepted as a
boundary case. Finally, why can't I report that an 8k RSA key is excessive?
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
