Re: [dmarc-ietf] ARC Minimum Key Sizes

2017-01-20 Thread Peter Goldstein
I think Scott's point about operational options is well taken. Google ran into some operational issues with some DNS vendors when they attempted to make all new G Suite DKIM keys 2048 - they rolled back to making 2048 bit keys the default, but allowing 1024 bit keys as an option. The MUST/SHOULD

Re: [dmarc-ietf] ARC Minimum Key Sizes

2017-01-20 Thread Scott Kitterman
On Friday, January 20, 2017 03:30:58 PM Scott Kitterman wrote: > On Friday, January 20, 2017 you wrote: > > On 01/20/2017 11:23, Scott Kitterman wrote: > > > I'm not on the ARC list, so I'll pile on this thread here... > > > > This is the right place for anything constructive regarding the > > spe

Re: [dmarc-ietf] Section [5.2.1] of the ARC draft

2017-01-20 Thread John Levine
>1) Do we have a normative reference within the RFC framework for key >lengths for different crypto systems, and can we simply invoke that >reference rather than including a hard figure in this spec? There's RFC 3766, but it's over a decade old and has rules for how to figure out how long a key yo

[dmarc-ietf] ARC Minimum Key Sizes

2017-01-20 Thread Scott Kitterman
On Friday, January 20, 2017 you wrote: > On 01/20/2017 11:23, Scott Kitterman wrote: > > I'm not on the ARC list, so I'll pile on this thread here... > > This is the right place for anything constructive regarding the > specification, so no problem regarding any other lists. > > > I understand th

Re: [dmarc-ietf] Section [5.2.1] of the ARC draft

2017-01-20 Thread Steven M Jones
On 01/20/2017 11:23, Scott Kitterman wrote: > > I'm not on the ARC list, so I'll pile on this thread here... This is the right place for anything constructive regarding the specification, so no problem regarding any other lists. > I understand the minimum key size in the draft is 512 bits. I'm

Re: [dmarc-ietf] Section [5.2.1] of the ARC draft

2017-01-20 Thread Gene Shuman
Kurt, I think terminating the chain with a cv=invalid is a good approach. The general idea being that if there is any seal found with cv=invalid then validation fails & we don't continue the chain. When a good intermediary finds an invalid chain, a seal is affixed(no need for AMS, or AAR), with th

Re: [dmarc-ietf] Section [5.2.1] of the ARC draft

2017-01-20 Thread Scott Kitterman
On Friday, January 20, 2017 07:48:28 AM Kurt Andersen wrote: > On Thu, Jan 19, 2017 at 9:02 PM, Murray S. Kucherawy > > wrote: > > On Thu, Jan 19, 2017 at 12:55 AM, Kurt Andersen wrote: > >> The intent of section 5.2.1 was never to deal with pathological cases. It > >> was to deal with somewhat