[cryptography] DKIM: Who cares?
solar at openwall.com
Thu Oct 25 06:32:37 EDT 2012
On Thu, Oct 25, 2012 at 12:21:56PM +1300, Peter Gutmann wrote:
> Steven Bellovin recently forwarded the following link to another list:
> In summary, it turns out that what seems like half the world's DKIM users are
> using toy keys as short as 384 bits. This isn't just Joe's Pizza and
> Panelbeating, it's a worldwide who's-who of big-site DKIM users all using weak
> keys. Does anyone know why they all do this? Since it's so widespread, my
> guess is that the organisations involved don't really care about it and are
> just going through the motions, "we're doing this for form's sake and because
> not doing so would look bad, not because we believe it adds anything
I think in practice DKIM is an imperfect and not very effective
anti-spam and anti-phishing measure (one of many), and there's indeed
not much need to make keys large until the old keys get cracked and
start to be used by spammers/phishers (which did not happen so far, as
far as I'm aware).
Yet I guess there's some reduction in spam/phish mail received e.g. by
Googlers as a result of Google mail servers refusing to accept mail with
@google.com Froms unless the signature is valid.
A reason to use moderately small DKIM keys (crackable with moderate
effort, so 512-bit sounds just right at this time) is to allow for
plausible deniability in case private e-mail messages leak to the public
(or to an adversary). I think this should be explicitly mentioned as a
reason to use short-lived smaller keys (over long-lived larger keys) in
a future revision of the DKIM RFC (a successor to RFC 6376).
People sometimes deliberately don't sign their messages e.g. with PGP,
even those who do use PGP on a regular basis, and it's not good for mail
servers to force signatures upon them (even if those signatures prove a
More information about the cryptography