From: Jim F. <jf...@bl...> - 2004-09-01 04:50:07
|
The -01 draft (section 2.3) calls for a minimum key length of 512, an increase from the previous version. The installation instructions describe how to generate a 384 bit key, which seems to be a holdover from the past. But with -02, we'll all have to generate new keys, right? I haven't been able to find any new keys in DNS yet. Also, I should be able to remember this because I was playing with headerlist canonicalization in the previous version, but is there a way to specify which headers to sign? In other words, which headers go into the h= tag in the signature. -Jim |
From: SM <sm...@re...> - 2004-09-02 07:26:19
|
Hi Jim, At 21:49 31-08-2004, Jim Fenton wrote: >The -01 draft (section 2.3) calls for a minimum key length of 512, an >increase from the previous version. The installation instructions >describe how to generate a 384 bit key, which seems to be a holdover >from the past. But with -02, we'll all have to generate new keys, >right? I haven't been able to find any new keys in DNS yet. Section 3 (b)(i) of the install document should be amended to: openssl genrsa -out rsa.private 512 >Also, I should be able to remember this because I was playing with >headerlist canonicalization in the previous version, but is there a way >to specify which headers to sign? In other words, which headers go into >the h= tag in the signature. The release notes mention that "headerlist" canonicalization has been removed. Regards, -sm |
From: Murray S. K. <ms...@se...> - 2004-09-02 21:41:23
|
On Thu, 2 Sep 2004, SM wrote: > Section 3 (b)(i) of the install document should be amended to: > > openssl genrsa -out rsa.private 512 Done for next release. > The release notes mention that "headerlist" canonicalization has been > removed. It's an optional part of all signing now, so it doesn't need its own canonicalization name. For both "simple" and "nofws", you can include a header list when signing by using the "-H" option at startup. The verifying side will always honour the header list if present, or include all headers below the signature if no header list is present. |
From: Murray S. K. <ms...@se...> - 2004-09-02 21:34:42
|
On Tue, 31 Aug 2004, Jim Fenton wrote: > Also, I should be able to remember this because I was playing with > headerlist canonicalization in the previous version, but is there a way > to specify which headers to sign? In other words, which headers go into > the h= tag in the signature. No, I haven't included that. Should that be in the hands of the administrator? |
From: Jim F. <jf...@bl...> - 2004-09-03 03:14:44
|
On Thu, 2004-09-02 at 14:34, Murray S. Kucherawy wrote: > On Tue, 31 Aug 2004, Jim Fenton wrote: > > Also, I should be able to remember this because I was playing with > > headerlist canonicalization in the previous version, but is there a way > > to specify which headers to sign? In other words, which headers go into > > the h= tag in the signature. > > No, I haven't included that. Should that be in the hands of the > administrator? Ah, I guess it was -H I was looking for. But I think there might be circumstances where one wants to exclude certain headers from the signature (perhaps ones that might be deleted along the way). It also depends somewhat on how headers before the signature are treated -- if they're included (in order to avoid the "added headers" issue brought up by Jose Marcio and SM) then you might be in a bit of trouble if Received makes it into the h= tag. -Jim |