Jan Dušátko writes: > In my opinion, the verifiability of the place and time of origin needs > to be addressed, which is one of the reasons to use DKIM: > - Ed25519 has a security equivalent of 125b, a little less than the > currently required security equivalent 128b (more-less the same) > - Ed448, like Ed25519, is standardized both within TLS 1.3 and for > digital signature thanks to NIST and ETSI
All of those are much stronger than what is needed for authentication of the sender. Attackers will not be wasting that much resources to simply generate fake DKIM signatures. > - RSA should be vulnerable to Shor algorithm (one QFT) in the future > - ECDSA/EDDSA should be vulnerable to modified Shor algorithm (two QFTs) > in the future > - PQC migration will also need to be addressed in the near future > It is not a question of how many algorithms there will be, but what > algorithms will be involved. Again we are talking about authentication, not store and decrypt later. If someone actually generates quantum computer he will not be wasting computing time to break DKIM, there are much higher value targets to attack. Post quantum crypto is needed now when you are encrypting data, and attackers can store that encrypted data and decrypt it later when they have quantum computers. For PQC migration we need to have a algorithm agility, i.e. ability to add new algorithm in a backward compatible way, i.e., without breaking any old implementations. I thnk we can already do that as we can use different algorithms to generate multiple DKIM headers, and new implementations can ignore the old broken algorithms and only verify the ones known to be secure, while old implementations will still be able to verify old algorithms, so there is nothing to be done now for PQC in DKIM. -- kivi...@iki.fi _______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
