On 2012-10-26 2:44 AM, Ben Laurie wrote:
As someone who sees the effects of actually using DKIM, I can but roll
my eyes and shrug. In short, it turns out to be a pretty bad idea to
hard fail on DKIM because it totally doesn't work with mailing lists.
Which makes it pretty useless, key size
John Levine jo...@iecc.com writes:
Hmmn. Is there some point to speculating about the behavior of mail systems
about which you know nothing?
Absolutely. We have a system design to perform a certain function (and,
unfortunately, mis-marketed as being a solution to a rather different problem,
Dave Crocker dcroc...@bbiw.net writes:
In summary, it turns out that what seems like half the world's DKIM users are
using toy keys as short as 384 bits.
Since neither Wired nor CERT cited anyone's using 384-bit DKIM keys, I don't
know where this assertion comes from.
Harris found three
On 26/10/12 20:11 PM, Peter Gutmann wrote:
John Levine jo...@iecc.com writes:
Hmmn. Is there some point to speculating about the behavior of mail systems
about which you know nothing?
Absolutely. We have a system design to perform a certain function (and,
unfortunately, mis-marketed as
Peter Gutmann wrote:
John Levine jo...@iecc.com writes:
Is there some point to speculating ...?
Absolutely. ...
... so I'm
assuming there was some business-case issue ...
... a security mechanism was deployed on a large scale ...
Let me speculate a moment.
The 384 bits keys are much
On 2012-10-26 7:11 PM, Peter Gutmann wrote:
I'd like to find out what caused this, not to lay blame, but to understand
what the issue was and to make sure that it won't come back to bite us again
in future deployments.
My own experience, not necessarily typical and representative, is that
it
On Fri, Oct 26, 2012 at 06:29:47PM +, John Case wrote:
So, given what is in the stanford report and then reading this rant
about openssl, I am wondering just how bad openssl is ? I've never
had to implement it or code with it, so I really have no idea.
How long has it been understood
On Fri, Oct 26, 2012 at 2:27 AM, ianG i...@iang.org wrote:
- It probably wasn't an accidental mis-config, because it's unlikely that
a
pile of major organisations would all make the same config mistake.
Look at
SSL, the exact same organisations have no problem using strong SSL
keys,
On 10/24/12 9:18 PM, Jon Callas wrote:
Note the weasel-words long-lived. I think that the people caught out
in this were risking things -- but let's also note that the length of
exposure is the TTL of the DNS entries.
I wouldn't characterize those as weasel-words, but rather that they were