On Thursday, October 25, 2012 08:59:54 PM Florian Weimer wrote: > * Scott Kitterman: > > This is not something that can be dealt with operationally. Unlike > > GPG, where keys are trusted based on signatures and web of trust > > (and people can decline to sign bad keys), in DKIM keys are trusted > > based on their being published in the sending domain's DNS and there > > is no human in the loop. > > I still don't see how this is different from the OpenPGP situation. > > Assuming that DNS is secure enough, If the sender doesn't publish a > short key, it's not possible to use one. There is also no certificate > chaining which could result in an unknown set of potentially > problematic certificates. It really boils down to using DKIM > correctly. > > Rejecting short keys still has value because without such drastic > measures, insecure cryptography works as well as secure cryptography, > but I don't think this warrants a security update.
I think that RC, but not warranting a security update is a reasonable state for this issue. I'll take it up with the release team about how to deal with Wheezy. Scott K
signature.asc
Description: This is a digitally signed message part.
