I noticed a blog post critical of Facebook for only using a 512-bit key in their DKIM signatures:
http://blog.jgc.org/2010/06/facebooks-dkim-rsa-key-should-be.html His analysis looks correct, except that he doesn't consider the possibility that they might rotate their keys periodically (although, as far as I can tell, they haven't yet). Of course, there's a follow-on blog post that confuses the issue further: http://techie-buzz.com/tech-news/facebook-insecure-dkim-encryption-mail.html by suggesting that DKIM does encryption. I'm in the process of collecting a bunch of DKIM selector data to see what the distribution of key lengths looks like. But I'm hard pressed to criticize a domain for using a key that's marginally too short when there are so many other domains that aren't signing at all. Any thoughts? -Jim _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
