* Scott Kitterman: > This is not something that can be dealt with operationally. Unlike > GPG, where keys are trusted based on signatures and web of trust > (and people can decline to sign bad keys), in DKIM keys are trusted > based on their being published in the sending domain's DNS and there > is no human in the loop.
I still don't see how this is different from the OpenPGP situation. Assuming that DNS is secure enough, If the sender doesn't publish a short key, it's not possible to use one. There is also no certificate chaining which could result in an unknown set of potentially problematic certificates. It really boils down to using DKIM correctly. Rejecting short keys still has value because without such drastic measures, insecure cryptography works as well as secure cryptography, but I don't think this warrants a security update. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
