NIST wants to deprecate digital signature algorithms that offer less than 128 bits of security by 2030. That means for example 2048-bit RSA. The next step is disallowing RSA, ECDSA, EdDSA and SHA-256 by the year 2035.¹ Even if they offer more than 128 bits of security. The Australian government has made similar announcements with the deadline being the year 2030.²
Even though it does sound a bit ambitious, it does signify the need to formalize the use of post-quantum algorithms for the use with DKIM. If there's a wish to use it in those contexts in the future. It shouldn't be too difficult to start running a few experiments with ML-DSA basically right now and to see what pops up.
It might also be a good idea to start with publishing an operations notice that recommends full deprecation of SHA1 in the context of DKIM. Requesting assessors to ignore those signatures (just treating it as an unknown algorithm). Ideally the notice would also heavily recommend dual-signing with Ed25519, for one main reason, to weed out systems that can't tolerate multiple signatures and to do so sooner rather than later. The extra five years from the increased security level over 2048-bit RSA probably won't save much. (And shame on you Amazon SES for not supporting multiple signatures!)
[1]: https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf[2]: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography
Best Regards, Taavi Eomäe
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
