In article <CABuGu1r-Q2YejZLehQVp95spknZ0seEyJ8Op+Pvj8hiU=dv...@mail.gmail.com> you write: >> No responsible operator has used the RFC minimum DKIM key sizes for a long >> time. They were trivial to bypass half a decade ago. No one has ever >> complained about 1024 bits default minimum being too big. ...
>I agree with your points, but don't you think it would be better to "fix" >the DKIM spec than to have ARC "do its own thing" which does not address >the weakness still enshrined in the DKIM spec? Only if we want to stall ARC for a couple of years while we have unproductive arguments about what it means to update the DKIM spec and whether key lengths are the only thing we want to twiddle. While ARC signatures are a lot like DKIM signatures, they're not DKIM signatures. A spec that says "ARC signatures are created the same way as DKIM signatures except that keys MUST be at least 1024 bits" is no harder to implement than one that says they're just the same, and is likely to match what people do in practice anyway. I looked at the current version of dkimpy (0.5.6) and found that by default it requires a minimum key length of 1024 which you can override with a larger or smaller size if you want. If Scott says nobody's ever complained about it, I believe him. R's, John _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
