Re: Key size advisory

From: Steve Jenkins <>
Date: Thu, 25 Oct 2012 13:59:00 -0700

On Wed, Oct 24, 2012 at 1:04 PM, Murray S. Kucherawy <> wrote:
> There has been a lot of press today about weak DKIM keys in production. For
> example:
> libopendkim has, since its very earliest versions (and going back into its
> life as "libdkim"), it has included an accessor function that allows the
> caller to ask for the size of the key used to generate the signature. This
> means users of the library can already selectively ignore signatures
> generated with weak keys, without the need for a patch to the library. (You
> might not yet be using the accessor, but it is available to you.)
> The filter has not, however, made use of this other than for logging.
> Moreover, there's nothing preventing one from generating signatures with
> weak keys, other than documentation.
> As of 2.7.0, there will be a (configurable) minimum key size of 1024 both
> for signing and verifying; received signatures that don't meet the limit
> will not be able to pass, and giving the library a key that doesn't meet the
> minimum will result in an error.

Someone actually added this as a feature for me to add to the
Fedora/RHEL package in Bugzilla. So the next version of the package
based on 2.7.0 will default to the 1024 keysize.

Received on Thu Oct 25 2012 - 20:59:12 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:44 PST