Hanno Böck wrote: > Am Mon, 28 Feb 2011 09:44:25 -0500 > schrieb Dave CROCKER <[email protected]>: > >> Just for archive completeness (and to comfort folks like me who lack >> crypto clue) could you offer a very brief summary of the difference >> between what DKIM currently uses and what is being suggested, >> especially in terms of how the newer one is better and why that might >> be important? > > The difference is merely protection against hypothetical weaknesses in > the padding scheme. Old padding schemes have been made more or less in > a naive way (usually hash-then-sign), while PSS (specified in PKCS #1 > 2.1) provides provable security properties under certain model > asumptions.
Thanks for the explanation. I've always approached these kinds of problems for dkim with a test like "if I could exploit a weakness at great expense, would dkim signatures be on the short list?" The answer is invariably no. It's similarly why the SHA1 brouhaha wasn't _that_ big a deal, IMO. Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
