[cryptography] DKIM: Who cares?

Andy Steingruebl andy at steingruebl.com
Fri Oct 26 15:58:51 EDT 2012

On Fri, Oct 26, 2012 at 2:27 AM, ianG <iang at iang.org> wrote:

>> - It probably wasn't an accidental mis-config, because it's unlikely that
>> a
>>    pile of major organisations would all make the same config mistake.
>>  Look at
>>    SSL, the exact same organisations have no problem using strong SSL
>> keys, but
>>    the same thing with DKIM uses weak keys.

Tools like Ivan Ristic's SSL Labs (https://www.ssllabs.com/) have done
wonders for those wishing to make sure they have configured their HTTPS
webservers correctly.

You'll notice that similarly easy to use tools for other systems employing
cryptography aren't what I'd call abundant.

>> That means there was probably some business, legal, or social reason why
>> this
>> occurred.
I expect initially, yes.  Afterwards though I think a lack of easy to use
tooling and monitoring tools is more to blame than anything.

In the HTTPS world it is almost always the case that the organization that
generates and manages the keys also manages/runs the webserver.

In the email world you'll find that with the amount of outsourcing to ESPs
the same thing isn't true.  This makes DKIM more operationally complex than
HTTPS.  Not unbearably mind you, but definitely more complex.

- Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20121026/bedeafa5/attachment.html>

More information about the cryptography mailing list