Without marking the published key as obsolete, downgrade attack is possible, because attacker can still use a weaker key to spoof signature. пятница, 07 апреля 2017г., 02:58 +03:00 от John Levine jo...@taugh.com :
>>1. produce 2 different DKIM-Signatures with 2 different selectors: >>slector1 with SHA-1 + RSA and selector2 one with SHA-512 + ECDSA > >Of course. > >>2. add an additional field to either selector1 DKIM DNS record (need to >>consult RFC if it's allowed) or to DKIM-Signature with selector1 (it's >>allowed but probably is not enough to protect against downgrade) to >>indicate the selector is legacy-only, e.g. o=sha512/eccp256 to indicate >>this selector should be ignored if verifier supports sha-512 and eccp256. > >No. If the verifier is smart enough to understand new algorithms, it >is smart enough to figure out which signature to prefer. Also keep in >mind that the legacy crypto is sha256/rsa1024 which is plenty strong >for the forseeable future. > >R's, >John
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc