https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7124
Bug ID: 7124
Summary: DKIM: RFC 6376 - Signers MUST use RSA keys of at least
1024 bits
Product: Spamassassin
Version: 3.4.0
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P2
Component: Plugins
Assignee: [email protected]
Reporter: [email protected]
In response to a discussion on the mailing list (January 2015,
"possible bug in Mail::DKIM when keysize is under 1024 bits",
following the practice by Google and others to ignore
signing keys shorter that 1024 bits, and following the
RFC 6376 section 3.3.3 (as pointed out by A. Schulze):
3.3.3. Key Sizes
Selecting appropriate key sizes is a trade-off between cost,
performance, and risk. Since short RSA keys more easily succumb to
off-line attacks, Signers MUST use RSA keys of at least 1024 bits for
long-lived keys. Verifiers MUST be able to validate signatures with
keys ranging from 512 bits to 2048 bits, and they MAY be able to
validate signatures with larger keys. Verifier policies may use the
length of the signing key as one metric for determining whether a
signature is acceptable.
Factors that should influence the key size choice include the
following:
o The practical constraint that large (e.g., 4096-bit) keys might
not fit within a 512-byte DNS UDP response packet
o The security constraint that keys smaller than 1024 bits are
subject to off-line attacks
o Larger keys impose higher CPU costs to verify and sign email
o Keys can be replaced on a regular basis; thus, their lifetime can
be relatively short
o The security goals of this specification are modest compared to
typical goals of other systems that employ digital signatures
See [RFC3766] for further discussion on selecting key sizes.
... here is now a change to the DKIM plugin to ignore signatures
shorter than some configurable minimal size (default 1024 bits)
for important decisions, such as whitelisting based on a DKIM
signature.
The patch introduces a new configuration setting:
=item dkim_minimum_key_bits n (default: 1024)
The smallest size of a signing key (in bits) for a valid signature to be
considered for whitelisting. Additionally, the eval function check_dkim_valid()
will return false on short keys when called with explicitly listed domains,
and the eval function check_dkim_valid_author_sig() will return false on short
keys (regardless of its arguments). Setting the option to 0 disables a key
size check.
Note that the option has no effect when the eval function check_dkim_valid()
is called with no arguments (like in a rule DKIM_VALID). A mere presence of
some valid signature on a message has no reputational value (without being
associated with a particular domain), regardless of its key size - anyone can
prepend its own signature on a copy of some third party mail and re-send it,
which makes it no more trustworthy than without such signature. This is also
a reason for a rule DKIM_VALID to have a near-zero score.
--
You are receiving this mail because:
You are the assignee for the bug.
