Package: libmail-dkim-perl Version: 0.44-1 Severity: important Tags: upstream
The IETF recently published updated guidance on minimum RSA key sizes for use with DKIM[1]. I decided to check in Debian to see what packages might need to be updated as a result. I've looked and I can't find where Mail::DKIM checks key size at all. This is a security concern since it allows trivially factorable keys to produce apparently valid signatures (just last year I ran into a consulting client with a 384 bit key that was surprised his DKIM wasn't working very well anymore). Note, I'm not a Perl person, so I may have missed it when I read the code. Assuming I'm right though, while I'm not sure what the best approach to resolve this is, but I do think it's concerning and needs to be fixed. Scott K [1] https://tools.ietf.org/html/rfc8301