> On Jan 23, 2017, at 2:41 AM, Murray S. Kucherawy <superu...@gmail.com> wrote: > > As I recall there are issues using keys bigger than 1024 bits because > construction and/or correct interpretation of TXT records that contain keys > of that size or bigger has been problematic due to DNS provisioning software > that does the former wrong and DKIM verifiers that do the latter wrong. To > my knowledge, nobody has ever shown evidence that the larger keys are too > computationally expensive to be used, or that any of the other things > mentioned in Section 3.3.3 of RFC6376 are actually a problem.
Yup. > If we can nail those issues down, I think a lot of the practical resistance > goes away, and ARC can easily say ">= 1024" or whatever we want and be done > with it. Fixing the DNS provision software everywhere isn't going to be trivial (and there's even a slight question of what fixing it means - a TXT record contains multiple strings and that DKIM concatenates them into a single one is a DKIM thing, not a DNS TXT thing). Continuing to push for that is a good thing, but it's going to take time. But fixing that isn't required for 1024 bit keys and I don't see any good reason not to say ">= 1024 bits" today. Cheers, Steve _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
