On Tue, 24 Jan 2017, Brandon Long wrote:
I'm not opposed to requiring support for different encryption algorithms, but we really need to clean up and understand exactly how we handle migration to a new algorithm, probably with a section in the draft specific to it with an example.
Fortunately, we have experience migrating from SHA1 to SHA256 hashes with DKIM.
Basically, as soon as you have support for the new algorithm, you start signing with both old and new. After a while (likely a year or more) you try dropping the old signatures and see if your verification rates drop. I'd think that DMARC reports would be useful here. Eventually the verification rates are close enough that you stop using the old algorithm.
Regards, John Levine, [email protected], Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
