So my thought here is that now that DCRUP is due imminently, we should update the YANG test suite to reject SHA-1 hashes.
Thoughts? Best, Peter On Wed, Dec 13, 2017 at 11:10 AM, John Levine <[email protected]> wrote: > I am working on yet another ARC library and am wondering what to do > about SHA1 signatures and 512 bit keys. The DCRUP working group has > sent a DKIM update to the RFC editor which finally kills SHA1 hashes > and RSA keys shorter than 1024 bits. It's in the queue and will be > published when they get around to it, probably next month. > > On the assumption that ARC signatures track DKIM, what should I do? > At the moment I have a "strict" option in the verifier which when set > rejects SHA1 hashes and short keys. I suppose it should be on by > default, but a couple of the tests in the YANG test suite have SHA1 > signatures. There's also a test that 512 bit signatures are rejected, > so depending on the setting currently I can either fail the SHA1 > signatures or I can fail the short key signature. > > Suggestions? > > Signed, > Uncertain > > PS: Coming soon to DKIM, ed25519 signatures, but since the underlying > library code isn't in OpenSSL yet, I'm not yet worrying about it. > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
