Yet another reason not to worry about this in DMARCbis. What I suggested below is reasonable for today. You are correct that it will change. Leaving DKIM's issues to DKIM is the right answer.
Scott K On October 27, 2022 2:33:01 PM UTC, "Brotman, Alex" <[email protected]> wrote: >How will we handle the ever-changing definition of "weak"? > >-- >Alex Brotman >Sr. Engineer, Anti-Abuse & Messaging Policy >Comcast > >> -----Original Message----- >> From: dmarc <[email protected]> On Behalf Of Scott Kitterman >> Sent: Wednesday, October 26, 2022 10:27 PM >> To: [email protected] >> Subject: Re: [dmarc-ietf] Weak signatures >> >> >> >> On October 26, 2022 11:56:31 PM UTC, Steven M Jones <[email protected]> >> wrote: >> >On 10/26/22 16:45, Neil Anuskiewicz wrote: >> >>> On Oct 26, 2022, at 3:48 AM, Douglas Foster >> <[email protected]> wrote: >> >>> >> >>> >> >>> Murray first raised the issue of weak signatures. >> >>> ... >> >>> >> >>> Weak results need to be part of the aggregate report so that domain >> owners understand the importance of moving from weak to strong signatures. >> >>> ... >> >>> >> >>> - DAMRC Evaluation does not exit upon finding an aligned and verified >> >>> weak >> signature. Instead, the result is noted but the evaluation continues in >> hopes of >> finding an aligned and verified strong signature. >> >> Strong defined as the strength of the encryption algorithm (i.e., key >> >> size). >> > >> > >> >And to be clear(er), any language talking about "strength" in terms of key >> >size >> has to account for algorithm + key size, or you can get some incorrect >> treatment >> of e.g. elliptical curve signatures. >> >> If we need to define it, I'd say "weak" is anything that doesn't meet the >> requirements of RFC 8301 (RSA key length < 1024 bits or hash is SHA-1). Any >> RSA >> SHA-256 with a large enough key or any ed25519-SHA-256 (RFC 8463) is not >> weak. >> >> No need to spend a lot of effort on this. >> >> Scott K >> >> Scott K >> >> _______________________________________________ >> dmarc mailing list >> [email protected] >> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/dmarc__;! >> !CQl3mcHX2A!BboGMRWEwa30TsEsWdFhy6Kbbj9Mp7QiEC1KaaKRniq7TE4jzqub >> PhnYWVDXZtfpjgArGQeryvtvMUTf_9D9DTtODa4$ >_______________________________________________ >dmarc mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/dmarc _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
