Without marking the published key as obsolete, downgrade attack is
possible, because attacker can still use a weaker key to spoof
signature.
If you know how to spoof a sha256/rsa1024 signature, I know a lot of
people who would like to talk to you.
Other than that, please review RFC 6376. Each signing algorithm has a
separate key -- if you don't trust an algorithm, don't publish a key for
it.
R's,
John
1. produce 2 different DKIM-Signatures with 2 different selectors:
slector1 with SHA-1 + RSA and selector2 one with SHA-512 + ECDSA
Of course.
2. add an additional field to either selector1 DKIM DNS record (need to
consult RFC if it's allowed) or to DKIM-Signature with selector1 (it's
allowed but probably is not enough to protect against downgrade) to
indicate the selector is legacy-only, e.g. o=sha512/eccp256 to indicate
this selector should be ignored if verifier supports sha-512 and eccp256.
No. If the verifier is smart enough to understand new algorithms, it
is smart enough to figure out which signature to prefer. Also keep in
mind that the legacy crypto is sha256/rsa1024 which is plenty strong
for the forseeable future.
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
