|
|
|
|
|
|
by LeonM
2082 days ago
|
|
|
Ed25519 curves are currently being adopted for DKIM in RFC8463 [0]. I I wrote an article about this [1], where I concluded that Ed25519 is an improvement for DKIM over RSA (smaller keys, deprecation of SHA1). However, this finding may have big impact on the adoption rate of Ed25519 for DKIM. Specifically for DKIM validators (MTAs). MTAs are already amongst the worst offenders when it comes to not adhering to the standards. The DKIM canonicalisation scheme [2] is already hard enough to implement on it's own, now with this finding we might get even more false positives and negatives in DKIM validation. Let's hope that the finding will encourage library maintainers to come to a consensus on how to validate Ed25519. And also hope that MTA developers will not try to roll their own... [0] https://tools.ietf.org/html/rfc8463
[1] https://www.mailhardener.com/kb/how-to-use-dkim-with-ed25519
[2] https://tools.ietf.org/html/rfc6376#section-3.4 |
|
|
These Ed25519 interop problems only arise with maliciously crafted keys and nonces. This is a problem for consensus systems (like Zcash in the article) because the signature is recorded and needs to be verified by many parties, and if a malicious signature it tickles an interop bug it can maybe (handwave) force third parties to treat the blockchain as invalid, or something like that. But in the context of DKIM if a sender generates a signature that a recipient can't validate, by using buggy key generation code that produces small cofactors or noncanonical encodings, only the sender suffers pain.