>From the ARC spec: 5.3 <https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-01#section-5.3>. Key Management and Binding
The public keys for ARC header fields follow the same requirements and semantics as those for DKIM-Signatures, described in Section 3.6 of [RFC6376] <https://tools.ietf.org/html/rfc6376#section-3.6>. Operators may use distinct selectors for the ARC header fields at their own discretion. >From the DKIM spec (RFC 6376) 3.3.3 <https://tools.ietf.org/html/rfc6376#section-3.3.3>. Key Sizes Selecting appropriate key sizes is a trade-off between cost, performance, and risk. Since short RSA keys more easily succumb to off-line attacks, Signers MUST use RSA keys of at least 1024 bits for long-lived keys. Verifiers MUST be able to validate signatures with keys ranging from 512 bits to 2048 bits, and they MAY be able to validate signatures with larger keys. Verifier policies may use the length of the signing key as one metric for determining whether a signature is acceptable. and 3.3 <https://tools.ietf.org/html/rfc6376#section-3.3>. Signing and Verification Algorithms DKIM supports multiple digital signature algorithms. Two algorithms are defined by this specification at this time: rsa-sha1 and rsa- sha256. Signers MUST implement and SHOULD sign using rsa-sha256. Verifiers MUST implement both rsa-sha1 and rsa-sha256. While admittedly the ARC RFC points to a different section of RFC 6376 (3.6), the statement beginning of section 5.3 certainly reads like it inherits public key requirements and semantics from the DKIM RFC. The DKIM RFC explicitly requires verifiers to validate signatures with bit sizes ranging from 512 bits to 2048 bits. If the key sizes recommendation is not intended to be inherited from RFC 6376, then that should probably be explicitly called out and the appropriate key guidelines defined. Best, Peter On Sat, Jan 21, 2017 at 4:12 PM, Kurt Andersen <ku...@drkurt.com> wrote: > > On Jan 20, 2017 11:23, "Scott Kitterman" <skl...@kitterman.com> wrote: > > I understand the minimum key size in the draft is 512 bits. > > > There is nothing in the ARC spec about key sizes. > > --Kurt > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > > -- [image: logo for sig file.png] Bringing Trust to Email Peter Goldstein | CTO & Co-Founder pe...@valimail.com +1.415.793.5783
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
