> -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Jim Fenton > Sent: Sunday, June 20, 2010 9:45 PM > To: [email protected] > Subject: [dkim-ops] DKIM key length criticism > > I noticed a blog post critical of Facebook for only using a 512-bit key > in their DKIM signatures: > > http://blog.jgc.org/2010/06/facebooks-dkim-rsa-key-should-be.html > > His analysis looks correct, except that he doesn't consider the > possibility that they might rotate their keys periodically (although, as > far as I can tell, they haven't yet). > > Of course, there's a follow-on blog post that confuses the issue further: > > http://techie-buzz.com/tech-news/facebook-insecure-dkim-encryption- > mail.html > > by suggesting that DKIM does encryption. > > I'm in the process of collecting a bunch of DKIM selector data to see > what the distribution of key lengths looks like. But I'm hard pressed > to criticize a domain for using a key that's marginally too short when > there are so many other domains that aren't signing at all. > > Any thoughts? > > -Jim
I don't think it's a generic when we talk about domains and DKIM signing. The fact that someone's billybob.com domain doesn't sign is orthogonal to the issue of high risk domains using 512-bit keys and not rotating. For many (most?) domains simply getting all their mail signed is a large undertaking. Key rotation is a bit scary and raises potential self inflicted pain if not handled well. This leads to many domains not rotating at all as they put off dealing with the issue. I've had this discussion with various people and it seems that quite a few are looking to rotate once a year at this point. We are using 1024-bit and my personal goal (stay tuned) is to rotate every 90 days with a yet to be determined overlap on the keys. This is not so much because of concern about weakness of keys but more about an operational process that recurs at a frequency that the Ops team is comfortable and confident implementing it. As far as the encryption comment, a little knowledge is a dangerous thing. Mike _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
